Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 3522 From krb5-bugs-incoming-bounces@PCH.mit.edu Thu Jun 22 15:24:48 2006 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id PAA14927; Thu, 22 Jun 2006 15:24:48 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5MJOIFw025275 for ; Thu, 22 Jun 2006 15:24:18 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5MFlGD9014360 for ; Thu, 22 Jun 2006 11:47:16 -0400 Received: from skamandros.sncag.com ([217.111.56.2]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id k5MFl5Vo015803 for ; Thu, 22 Jun 2006 11:47:11 -0400 (EDT) Received: from skamandros.sncag.com (localhost [127.0.0.1]) by skamandros.sncag.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id k5MFkxQQ006100 for ; Thu, 22 Jun 2006 17:46:59 +0200 Received: (from rw@localhost) by skamandros.sncag.com (8.13.4/8.13.4/Submit) id k5MFkxks006097; Thu, 22 Jun 2006 17:46:59 +0200 Date: Thu, 22 Jun 2006 17:46:59 +0200 From: Rainer Weikusat Message-Id: <200606221546.k5MFkxks006097@skamandros.sncag.com> To: krb5-bugs@mit.edu Subject: double-free in srv_rcache.c X-send-pr-version: 3.99 X-Spam-Score: 0 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-Mailman-Approved-At: Thu, 22 Jun 2006 15:24:17 -0400 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu >Submitter-Id: net >Originator: Rainer Weikusat >Organization: SNC AG >Confidential: no >Synopsis: the krb5_get_server_rcache routine frees already freed memory in error path >Severity: non-critical >Category: krb5-libs >Class: sw-bug >Release: 1.4.3 >Environment: System: Linux skamandros 2.6.16.18 #5 SMP Tue May 30 13:42:31 CEST 2006 i686 GNU/Linux Architecture: i686 >Description: The krb5_get_server_rcache routine in src/lib/krb5/krb has a local variable named rcache which is freed before returning to the caller if its value is not a null pointer. The krb5_rc_resolve_full routine (in src/lib/krb5/rcache/rc_base.c) which is called by krb5_get_server_rcache towards the end (l. 107) allocates memory for a krb5 rcache descriptor structure and store the corresponding address at the location its parameter id points to. When called from krb5_get_server_rcache, this is the address of the rcache variable. If the type cannot be resolved (eg because hasn't been registered), the memory is freed but the already initialized pointer is not cleared, which causes the calling routine to attempt to free it for a second time. >How-To-Repeat: Use the KRB5RCACHETYPE variable to request using a replay cache type unknown to the Kerberos library. >Fix: --- kerberos-srv-rcache-fix/src/lib/krb5/krb/srv_rcache.c 19 Mar 2006 14:42:00 -0000 1.1.1.1 +++ kerberos-srv-rcache-fix/src/lib/krb5/krb/srv_rcache.c 22 Jun 2006 15:26:59 -0000 1.1.1.1.12.1 @@ -115,17 +115,13 @@ retval = krb5_rc_recover_or_initialize(context, rcache, context->clockskew); if (retval) { krb5_rc_close(context, rcache); - rcache = 0; goto cleanup; } *rcptr = rcache; - rcache = 0; retval = 0; cleanup: - if (rcache) - krb5_xfree(rcache); if (cachename) krb5_xfree(cachename); return retval;