From jgm@portolacomm.com Sun Nov 3 13:40:14 1996
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA00659 for <bugs@RT-11.MIT.EDU>; Sun, 3 Nov 1996 13:40:13 -0500
Received: from [205.178.2.165] by MIT.EDU with SMTP
id AA21627; Sun, 3 Nov 96 13:40:12 EST
Received: from porta-sparc.portolacomm.com (porta-sparc.portolacomm.com [205.178.2.165]) by porta-sparc.portolacomm.com (8.8.0/8.8.0) with SMTP id KAA00766 for <krb5-bugs@athena.mit.edu>; Sun, 3 Nov 1996 10:38:03 -0800 (PST)
Message-Id: <Pine.GSO.3.95L.961103103400.756A-100000@porta-sparc.portolacomm.com>
Date: Sun, 3 Nov 1996 10:37:59 -0800 (PST)
From: John Gardiner Myers <jgm@portolacomm.com>
Reply-To: John Gardiner Myers <jgm@portolacomm.com>
To: krb5-bugs@MIT.EDU
Subject: krb524d frees memory twice
Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: tlyu
Responsible-Changed-When: Wed Nov 13 23:29:25 1996
Responsible-Changed-Why:
refiled
State-Changed-From-To: open-feedback
State-Changed-By: tlyu
State-Changed-When: Thu Dec 5 23:14:34 1996
State-Changed-Why:
I believe Mark Eichin already checked in changes to fix this.
State-Changed-From-To: feedback-closed
State-Changed-By: tlyu
State-Changed-When: Tue Dec 17 18:54:41 1996
State-Changed-Why:
Hearing no further discussion, I'm closing this PR.
fixes one instance of this.
I also noticed that in the first failrue
condition, krb624_convert_tkt_skey() frees the input v5tkt, but does
not do so in any of the other error cases. This call to
krb5_free_ticket() is probably incorrect.
RCS file: /usr/system/portola/cvsroot/security/krb5/src/krb524/krb524d.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 krb524d.c
*** krb524d.c 1996/11/02 20:54:30 1.1.1.1
--- krb524d.c 1996/11/03 17:33:30
***************
*** 291,299 ****
&v4_service_key);
if (ret)
goto error;
- krb5_free_keyblock_contents(context, &v5_service_key);
- krb5_free_keyblock_contents(context, &v4_service_key);
- krb5_free_ticket(context, v5tkt);
if (debug)
printf("credentials converted\n");
--- 291,296 ----
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA00659 for <bugs@RT-11.MIT.EDU>; Sun, 3 Nov 1996 13:40:13 -0500
Received: from [205.178.2.165] by MIT.EDU with SMTP
id AA21627; Sun, 3 Nov 96 13:40:12 EST
Received: from porta-sparc.portolacomm.com (porta-sparc.portolacomm.com [205.178.2.165]) by porta-sparc.portolacomm.com (8.8.0/8.8.0) with SMTP id KAA00766 for <krb5-bugs@athena.mit.edu>; Sun, 3 Nov 1996 10:38:03 -0800 (PST)
Message-Id: <Pine.GSO.3.95L.961103103400.756A-100000@porta-sparc.portolacomm.com>
Date: Sun, 3 Nov 1996 10:37:59 -0800 (PST)
From: John Gardiner Myers <jgm@portolacomm.com>
Reply-To: John Gardiner Myers <jgm@portolacomm.com>
To: krb5-bugs@MIT.EDU
Subject: krb524d frees memory twice
Show quoted text
>Number: 150
>Category: krb5-kdc
>Synopsis: krb524d frees memory twice
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Nov e 13:41:00 EST 1996
>Last-Modified: Tue Dec 17 18:55:13 EST 1996
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Category: krb5-kdc
>Synopsis: krb524d frees memory twice
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Nov e 13:41:00 EST 1996
>Last-Modified: Tue Dec 17 18:55:13 EST 1996
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: tlyu
Responsible-Changed-When: Wed Nov 13 23:29:25 1996
Responsible-Changed-Why:
refiled
State-Changed-From-To: open-feedback
State-Changed-By: tlyu
State-Changed-When: Thu Dec 5 23:14:34 1996
State-Changed-Why:
I believe Mark Eichin already checked in changes to fix this.
State-Changed-From-To: feedback-closed
State-Changed-By: tlyu
State-Changed-When: Tue Dec 17 18:54:41 1996
State-Changed-Why:
Hearing no further discussion, I'm closing this PR.
Show quoted text
>Unformatted:
In handling a request, krb524d frees some memory twice. Enclosed patchfixes one instance of this.
I also noticed that in the first failrue
condition, krb624_convert_tkt_skey() frees the input v5tkt, but does
not do so in any of the other error cases. This call to
krb5_free_ticket() is probably incorrect.
RCS file: /usr/system/portola/cvsroot/security/krb5/src/krb524/krb524d.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 krb524d.c
*** krb524d.c 1996/11/02 20:54:30 1.1.1.1
--- krb524d.c 1996/11/03 17:33:30
***************
*** 291,299 ****
&v4_service_key);
if (ret)
goto error;
- krb5_free_keyblock_contents(context, &v5_service_key);
- krb5_free_keyblock_contents(context, &v4_service_key);
- krb5_free_ticket(context, v5tkt);
if (debug)
printf("credentials converted\n");
--- 291,296 ----