From kwc@dh171.citi.umich.edu Fri Oct 4 09:24:32 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3) with ESMTP
id JAA13557; Fri, 4 Oct 2002 09:24:32 -0400 (EDT)
Received: from dh171.citi.umich.edu (dh171.citi.umich.edu [141.211.133.171])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA14956
for <krb5-bugs@mit.edu>; Fri, 4 Oct 2002 09:24:32 -0400 (EDT)
Received: (from kwc@localhost)
by dh171.citi.umich.edu (8.11.6/8.11.6) id g94DRuN32591;
Fri, 4 Oct 2002 09:27:56 -0400
Date: Fri, 4 Oct 2002 09:27:56 -0400
Message-Id: <200210041327.g94DRuN32591@dh171.citi.umich.edu>
To: krb5-bugs@mit.edu
Subject: padata memory leak in AS_REQ path
From: kwc@citi.umich.edu
Reply-To: kwc@citi.umich.edu
X-send-pr-version: 3.99
---------------------- University of Michigan
Phone: (734) 763-0592 3106 Argus
mailto:kwc@umich.edu 535 West William Street
---------------------- Ann Arbor, MI, 48103-4943
http://www.citi.umich.edu/u/kwc/
All systems and architectures are affected.
When preauthentication data is returned as part of the
AS_REQ, the padata is never released from the reply
structure after the return packet is constructed.
Also, normal processing already frees the encrypting_key
contents, so it should be free conditionally in the errout:
section.
AS_REQs for users with only an AFS key in the database have
the pw-salt padata returned in the response. Also, we have
code to use the SPECIAL salt type for users whose principal
name (uniqname) has been changed. This also results in
padata being returned in the response.
Apply the following patch (this patch is against the 1.2.6 release):
--- src/kdc/do_as_req.c.orig Fri Oct 4 09:00:10 2002
+++ src/kdc/do_as_req.c Fri Oct 4 09:04:35 2002
@@ -448,8 +448,10 @@
errcode = prepare_error_as(request, errcode, &e_data, response);
}
- krb5_free_keyblock_contents(kdc_context, &encrypting_key);
-
+ if (encrypting_key.contents)
+ krb5_free_keyblock_contents(kdc_context, &encrypting_key);
+ if (reply.padata)
+ krb5_free_pa_data(kdc_context, reply.padata);
if (cname)
free(cname);
if (sname)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3) with ESMTP
id JAA13557; Fri, 4 Oct 2002 09:24:32 -0400 (EDT)
Received: from dh171.citi.umich.edu (dh171.citi.umich.edu [141.211.133.171])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA14956
for <krb5-bugs@mit.edu>; Fri, 4 Oct 2002 09:24:32 -0400 (EDT)
Received: (from kwc@localhost)
by dh171.citi.umich.edu (8.11.6/8.11.6) id g94DRuN32591;
Fri, 4 Oct 2002 09:27:56 -0400
Date: Fri, 4 Oct 2002 09:27:56 -0400
Message-Id: <200210041327.g94DRuN32591@dh171.citi.umich.edu>
To: krb5-bugs@mit.edu
Subject: padata memory leak in AS_REQ path
From: kwc@citi.umich.edu
Reply-To: kwc@citi.umich.edu
X-send-pr-version: 3.99
Show quoted text
>Submitter-Id: net
>Originator: Kevin Coffman
>Organization:
Kevin Coffman Center for Information Technology Integration>Originator: Kevin Coffman
>Organization:
---------------------- University of Michigan
Phone: (734) 763-0592 3106 Argus
mailto:kwc@umich.edu 535 West William Street
---------------------- Ann Arbor, MI, 48103-4943
http://www.citi.umich.edu/u/kwc/
Show quoted text
>Confidential: no
>Synopsis: padata not freed from reply structure
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.2.5
>Environment:
>Synopsis: padata not freed from reply structure
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.2.5
>Environment:
All systems and architectures are affected.
Show quoted text
>Description:
When preauthentication data is returned as part of the
AS_REQ, the padata is never released from the reply
structure after the return packet is constructed.
Also, normal processing already frees the encrypting_key
contents, so it should be free conditionally in the errout:
section.
Show quoted text
>How-To-Repeat:
AS_REQs for users with only an AFS key in the database have
the pw-salt padata returned in the response. Also, we have
code to use the SPECIAL salt type for users whose principal
name (uniqname) has been changed. This also results in
padata being returned in the response.
Show quoted text
>Fix:
Apply the following patch (this patch is against the 1.2.6 release):
--- src/kdc/do_as_req.c.orig Fri Oct 4 09:00:10 2002
+++ src/kdc/do_as_req.c Fri Oct 4 09:04:35 2002
@@ -448,8 +448,10 @@
errcode = prepare_error_as(request, errcode, &e_data, response);
}
- krb5_free_keyblock_contents(kdc_context, &encrypting_key);
-
+ if (encrypting_key.contents)
+ krb5_free_keyblock_contents(kdc_context, &encrypting_key);
+ if (reply.padata)
+ krb5_free_pa_data(kdc_context, reply.padata);
if (cname)
free(cname);
if (sname)