Skip Menu |
 

Download (untitled) / with headers
text/plain 3.8KiB
From hartmans@MIT.EDU Fri Feb 1 06:22:45 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id GAA14230
for <bugs@RT-11.mit.edu>; Fri, 1 Feb 2002 06:22:45 -0500 (EST)
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA16646
for <bugs@RT-11.mit.edu>; Fri, 1 Feb 2002 06:22:45 -0500 (EST)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86])
by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA21895
for <krb5-bugs@MIT.EDU>; Fri, 1 Feb 2002 06:22:44 -0500 (EST)
Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6])
by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id GAA08776
for <krb5-bugs@MIT.EDU>; Fri, 1 Feb 2002 06:22:44 -0500 (EST)
Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3)
id GAA11600; Fri, 1 Feb 2002 06:22:44 -0500 (EST)
Message-Id: <tsladutv43f.fsf@tir-na-nogth.mit.edu>
Date: 01 Feb 2002 06:22:44 -0500
From: Sam Hartman <hartmans@MIT.EDU>
Sender: hartmans@TIR-NA-NOGTH.MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: ["Kunze, Babak" <bk@cm-ag.de>] Bug in MIT Kerberos V5 1.2.3

Show quoted text
>Number: 1048
>Category: krb5-libs
>Synopsis: memory leak in initial credentials path
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 1 06:23:00 EST 2002
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:

Show quoted text
------- Start of forwarded message -------
Message-ID: <D95D9818A782D41189F600105AEFF790333994@exchange.intern.cm-ag>
From: "Kunze, Babak" <bk@cm-ag.de>
To: "'krbcore@mit.edu'" <krbcore@mit.edu>
Subject: Bug in MIT Kerberos V5 1.2.3
Date: Fri, 1 Feb 2002 12:09:08 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"

Hi Folks,

I could not find out, to which address I am supposed to report Bugs to. I
hope you can forward this to the right guys.

There is a bug in "krb5_get_init_creds" or probably in
"krb5_get_init_creds_password" (depends on point of view) which causes
memory leaks when a user supplied a bad password. In any case however the
code in "get_in_tkt.c" does *as_reply = local_as_reply when (as_reply !=
NULL). Then "krb5_get_init_creds_password" retries with use_master = 1. But
it supplies the "&as_reply" again in which case "*as_reply" is set to the
new "local_as_reply". The old value has not been freed and is now lost in
nirvana.

Hope I could help.

Babak Kunze

This could be fixed as follows in "gic_pwd.c":

<--------- snip ---------->

/* first try: get the requested tkt from any kdc */

ret = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
use_master, &as_reply);

/* check for success */

if (ret == 0)
goto cleanup;

/* If all the kdc's are unavailable, or if the error was due to a
user interrupt, fail */

if ((ret == KRB5_KDC_UNREACH) ||
(ret == KRB5_LIBOS_PWDINTR) ||
(ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;

/* if the reply did not come from the master kdc, try again with
the master kdc */

if (!use_master) {
use_master = 1;

/*******************************************/
/***** release the old value here *******/
/*******************************************/

if (as_reply) {

krb5_free_kdc_rep(context, as_reply);

as_reply = NULL;
}

ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
use_master, &as_reply);

<--------- snip ---------->

------- End of forwarded message -------
From: "lijian" <lijian@sendmail.com>
To: <krb5-bugs@mit.edu>
Date: Mon, 12 Apr 2004 18:22:38 -0700
Cc: lijian <lijian@sendmail.com>
Subject: Memory leak when wrong password is used.
OS: All
Kerberos 5 Version: 1.3.3

The function krb5_get_init_creds_password() leaks memory if wrong password
is used.
The memory leak happens in krb5_get_init_creds_password() function in
src/lib/krb5/krb/gic_pwd.c.

Below is the fix:

$diff -u src/lib/krb5/krb/gic_pwd.c /tmp/gic_pwd.c.fixed
--- src/lib/krb5/krb/gic_pwd.c 2003-08-08 13:46:26.000000000 -0700
+++ /tmp/gic_pwd.c.fixed 2004-04-12 18:07:05.000000000 -0700
@@ -146,6 +146,9 @@
if (!use_master) {
use_master = 1;

+ if (as_reply)
+ krb5_free_kdc_rep(context, as_reply);
+
ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,


Lijian Liu
Sendmail, Inc.
(510)-594-5527
From: hartmans@mit.edu
Subject: CVS Commit
Fix memory leak when not sending to master KDC in
get_init_creds_password path.


To generate a diff of this commit:



cvs diff -r5.433 -r5.434 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.27 -r5.28 krb5/src/lib/krb5/krb/gic_pwd.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r5.378.2.33 -r5.378.2.34 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.19.2.5 -r5.19.2.6 krb5/src/lib/krb5/krb/gic_pwd.c