Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 4502 From papowell@dickory.sdsu.edu Mon Jan 27 14:36:58 1997 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA03144 for ; Mon, 27 Jan 1997 14:36:58 -0500 Received: from dickory.sdsu.edu by MIT.EDU with SMTP id AA14181; Mon, 27 Jan 97 14:36:54 EST Received: (from papowell@localhost) by dickory.sdsu.edu (8.8.3/8.8.2) id LAA26576; Mon, 27 Jan 1997 11:34:51 -0800 (PST) Message-Id: <199701271934.LAA26576@dickory.sdsu.edu> Date: Mon, 27 Jan 1997 11:34:51 -0800 (PST) From: Patrick Powell Reply-To: papowell@dickory.sdsu.edu To: krb5-bugs@MIT.EDU Subject: krb5_sendauth: freeing returned creds structure X-Send-Pr-Version: 3.99 >Number: 357 >Category: krb5-libs >Synopsis: krb5_sendauth returning freed creds >Confidential: yes >Severity: serious >Priority: high >Responsible: probe >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Mon Jan 27 14:37:01 EST 1997 >Last-Modified: Fri May 30 15:55:24 EDT 1997 >Originator: Patrick Powell >Organization: Prof. Patrick Powell Dept. Electrical and Computer Engineering, San Diego State University, San Diego, CA 92182-1309 Office (619) 594-7796; Lab (619) 594-7578 FAX (619) 594-7577 email: papowell@sdsu.edu >Release: 1.0 >Environment: System: SunOS dickory 4.1.4 2 sun4m Architecture: sun4 >Description: src/lib/krb5/krb/sendauth.b krb5_sendauth(context, auth_context, /* IN */ fd, appl_version, client, server, ap_req_options, in_data, in_creds, /* IN/OUT */ ccache, /* OUT */ error, rep_result, out_creds) krb5_context context; krb5_auth_context * auth_context; krb5_pointer fd; char * appl_version; krb5_principal client; krb5_principal server; krb5_flags ap_req_options; krb5_data * in_data; krb5_creds * in_creds; krb5_ccache ccache; krb5_error ** error; krb5_ap_rep_enc_part ** rep_result; krb5_creds ** out_creds; out_creds is used to return the credentials to the caller. At the end of the routine, we have the following: retval = 0; /* Normal return */ if (out_creds) { *out_creds = credsp; <--- returned to user value } error_return: krb5_free_cred_contents(context, &creds); if (credspout) <<<<<<<<<<<<<<<<<<<< krb5_free_creds(context, credspout); <<<<<<<< whoops! we free this. if (!ccache && use_ccache) krb5_cc_close(context, use_ccache); return(retval); } We should not free the credentials if they are returned. >How-To-Repeat: >Fix: *** sendauth.c Mon Jan 27 11:28:12 1997 --- sendauth.c.orig Mon Jan 27 11:28:09 1997 *************** *** 218,224 **** error_return: krb5_free_cred_contents(context, &creds); ! if ( !out_creds && credspout) krb5_free_creds(context, credspout); if (!ccache && use_ccache) krb5_cc_close(context, use_ccache); --- 218,224 ---- error_return: krb5_free_cred_contents(context, &creds); ! if (credspout) krb5_free_creds(context, credspout); if (!ccache && use_ccache) krb5_cc_close(context, use_ccache); >Audit-Trail: State-Changed-From-To: closed-feedback State-Changed-By: tlyu State-Changed-When: Wed Feb 12 16:00:52 1997 State-Changed-Why: Re-opening... we shouldn't close this until patchlevel 1 goes out because we need to reference the file version. Responsible-Changed-From-To: basch->probe Responsible-Changed-By: probe Responsible-Changed-When: Tue Apr 1 19:53:51 1997 Responsible-Changed-Why: State-Changed-From-To: feedback-closed State-Changed-By: tlyu State-Changed-When: Fri May 30 15:55:11 1997 State-Changed-Why: 1.0pl1 has been released >Unformatted: no krb5_sendauth frees credentials even when returned to user critical high krb5-libs sw-bug [Feb 07 1997 - basch] I concur that this code fragment is indeed in error, and have patched the mainline source tree. The patch should be included in the 1.1 release. [Also queued for 1.0 patch1] Patched files: src/lib/krb5/krb/sendauth.c 5.29