From hartmans@MIT.EDU Fri Feb 1 06:22:45 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id GAA14230
for <bugs@RT-11.mit.edu>; Fri, 1 Feb 2002 06:22:45 -0500 (EST)
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA16646
for <bugs@RT-11.mit.edu>; Fri, 1 Feb 2002 06:22:45 -0500 (EST)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86])
by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA21895
for <krb5-bugs@MIT.EDU>; Fri, 1 Feb 2002 06:22:44 -0500 (EST)
Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6])
by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id GAA08776
for <krb5-bugs@MIT.EDU>; Fri, 1 Feb 2002 06:22:44 -0500 (EST)
Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3)
id GAA11600; Fri, 1 Feb 2002 06:22:44 -0500 (EST)
Message-Id: <tsladutv43f.fsf@tir-na-nogth.mit.edu>
Date: 01 Feb 2002 06:22:44 -0500
From: Sam Hartman <hartmans@MIT.EDU>
Sender: hartmans@TIR-NA-NOGTH.MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: ["Kunze, Babak" <bk@cm-ag.de>] Bug in MIT Kerberos V5 1.2.3
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id GAA14230
for <bugs@RT-11.mit.edu>; Fri, 1 Feb 2002 06:22:45 -0500 (EST)
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA16646
for <bugs@RT-11.mit.edu>; Fri, 1 Feb 2002 06:22:45 -0500 (EST)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86])
by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA21895
for <krb5-bugs@MIT.EDU>; Fri, 1 Feb 2002 06:22:44 -0500 (EST)
Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6])
by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id GAA08776
for <krb5-bugs@MIT.EDU>; Fri, 1 Feb 2002 06:22:44 -0500 (EST)
Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3)
id GAA11600; Fri, 1 Feb 2002 06:22:44 -0500 (EST)
Message-Id: <tsladutv43f.fsf@tir-na-nogth.mit.edu>
Date: 01 Feb 2002 06:22:44 -0500
From: Sam Hartman <hartmans@MIT.EDU>
Sender: hartmans@TIR-NA-NOGTH.MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: ["Kunze, Babak" <bk@cm-ag.de>] Bug in MIT Kerberos V5 1.2.3
Show quoted text
>Number: 1048
>Category: krb5-libs
>Synopsis: memory leak in initial credentials path
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 1 06:23:00 EST 2002
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
>Category: krb5-libs
>Synopsis: memory leak in initial credentials path
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 1 06:23:00 EST 2002
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
Show quoted text
------- Start of forwarded message -------
Message-ID: <D95D9818A782D41189F600105AEFF790333994@exchange.intern.cm-ag>
From: "Kunze, Babak" <bk@cm-ag.de>
To: "'krbcore@mit.edu'" <krbcore@mit.edu>
Subject: Bug in MIT Kerberos V5 1.2.3
Date: Fri, 1 Feb 2002 12:09:08 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Hi Folks,
I could not find out, to which address I am supposed to report Bugs to. I
hope you can forward this to the right guys.
There is a bug in "krb5_get_init_creds" or probably in
"krb5_get_init_creds_password" (depends on point of view) which causes
memory leaks when a user supplied a bad password. In any case however the
code in "get_in_tkt.c" does *as_reply = local_as_reply when (as_reply !=
NULL). Then "krb5_get_init_creds_password" retries with use_master = 1. But
it supplies the "&as_reply" again in which case "*as_reply" is set to the
new "local_as_reply". The old value has not been freed and is now lost in
nirvana.
Hope I could help.
Babak Kunze
This could be fixed as follows in "gic_pwd.c":
<--------- snip ---------->
/* first try: get the requested tkt from any kdc */
ret = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
use_master, &as_reply);
/* check for success */
if (ret == 0)
goto cleanup;
/* If all the kdc's are unavailable, or if the error was due to a
user interrupt, fail */
if ((ret == KRB5_KDC_UNREACH) ||
(ret == KRB5_LIBOS_PWDINTR) ||
(ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
/* if the reply did not come from the master kdc, try again with
the master kdc */
if (!use_master) {
use_master = 1;
/*******************************************/
/***** release the old value here *******/
/*******************************************/
if (as_reply) {
krb5_free_kdc_rep(context, as_reply);
as_reply = NULL;
}
ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
use_master, &as_reply);
<--------- snip ---------->
Message-ID: <D95D9818A782D41189F600105AEFF790333994@exchange.intern.cm-ag>
From: "Kunze, Babak" <bk@cm-ag.de>
To: "'krbcore@mit.edu'" <krbcore@mit.edu>
Subject: Bug in MIT Kerberos V5 1.2.3
Date: Fri, 1 Feb 2002 12:09:08 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Hi Folks,
I could not find out, to which address I am supposed to report Bugs to. I
hope you can forward this to the right guys.
There is a bug in "krb5_get_init_creds" or probably in
"krb5_get_init_creds_password" (depends on point of view) which causes
memory leaks when a user supplied a bad password. In any case however the
code in "get_in_tkt.c" does *as_reply = local_as_reply when (as_reply !=
NULL). Then "krb5_get_init_creds_password" retries with use_master = 1. But
it supplies the "&as_reply" again in which case "*as_reply" is set to the
new "local_as_reply". The old value has not been freed and is now lost in
nirvana.
Hope I could help.
Babak Kunze
This could be fixed as follows in "gic_pwd.c":
<--------- snip ---------->
/* first try: get the requested tkt from any kdc */
ret = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
use_master, &as_reply);
/* check for success */
if (ret == 0)
goto cleanup;
/* If all the kdc's are unavailable, or if the error was due to a
user interrupt, fail */
if ((ret == KRB5_KDC_UNREACH) ||
(ret == KRB5_LIBOS_PWDINTR) ||
(ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
/* if the reply did not come from the master kdc, try again with
the master kdc */
if (!use_master) {
use_master = 1;
/*******************************************/
/***** release the old value here *******/
/*******************************************/
if (as_reply) {
krb5_free_kdc_rep(context, as_reply);
as_reply = NULL;
}
ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
use_master, &as_reply);
<--------- snip ---------->
------- End of forwarded message -------