Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP id QAA25449; Fri, 9 May 2003 16:11:26 -0400 (EDT)
Received: from konishi-polis.mit.edu (KONISHI-POLIS.MIT.EDU [18.18.3.10]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h49KBPDE022984 for <krb5-bugs@mit.edu>; Fri, 9 May 2003 16:11:25 -0400 (EDT)
Received: by konishi-polis.mit.edu (Postfix, from userid 8042) id 59F97151588; Fri,  9 May 2003 16:11:25 -0400 (EDT)
To: krb5-bugs@mit.edu
Subject: preauth2.c leaks memory, double frees memory and uses freed data
Message-Id: <20030509201125.59F97151588@konishi-polis.mit.edu>
Date: Fri,  9 May 2003 16:11:25 -0400 (EDT)
From: hartmans@MIT.EDU (Sam Hartman)
X-RT-Original-Encoding: iso-8859-1
Content-Length: 587


krb5_do_preauth and krb5_get_init_creds have bad memory management
interactions.

The following can happen as an example:

1) krb5_get_init_creds calls krb5_do_preauth
2) krb5_do_preauth sets up salt by copying
a pointer out of etype_info
3) krb5_do_preauth calls krb5_free_etype_info
4) krb5_do_preauth returns the salt pointer it set up in 2
5) krb5_get_init_creds  calls gak_fct
with the salt pointer from 2
6) After gak_fct returns  krb5_get_init_creds frees the salt.

This looks like a double free and a use of freed memory.


I think there may be other paths that involve leaks.