To: | krb5-bugs@mit.edu |
From: | Sam Hartman <hartmans@debian.org> |
Date: | Mon, 19 Apr 2004 12:29:06 -0400 |
Cc: | 244602-forwarded@bugs.debian.org |
Subject: | [fumihiko kakuma] Bug#244602: libkrb53: memory leak in libkrb5.so.3.2 |
I have not yet examined this issue.
Return-Path: <debbugs@bugs.debian.org>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP;
Sun, 18 Apr 2004 23:39:15 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <debbugs@bugs.debian.org>
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by suchdamage.org (Postfix) with ESMTP id 89653131AC
for <hartmans@suchdamage.org>; Sun, 18 Apr 2004 23:39:14 -0400 (EDT)
Received: from spohr.debian.org (spohr.debian.org [128.193.0.4])
i3J3dFxL007009
for <hartmans@mit.edu>; Sun, 18 Apr 2004 23:39:16 -0400 (EDT)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
id 1BFPWq-0003Gp-00; Sun, 18 Apr 2004 20:33:04 -0700
X-Loop: owner@bugs.debian.org
Subject: Bug#244602: libkrb53: memory leak in libkrb5.so.3.2
Reply-To: fumihiko kakuma <kakuma@valinux.co.jp>,
244602@bugs.debian.org
Resent-From: fumihiko kakuma <kakuma@valinux.co.jp>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: Sam Hartman <hartmans@debian.org>
Resent-Date: Mon, 19 Apr 2004 03:33:03 UTC
Resent-Message-ID: <handler.244602.B.108234510611142@bugs.debian.org>
X-Debian-PR-Message: report 244602
X-Debian-PR-Package: libkrb53
X-Debian-PR-Keywords: patch
Received: via spool by submit@bugs.debian.org id=B.108234510611142
(code B ref -1); Mon, 19 Apr 2004 03:33:03 UTC
Received: (at submit) by bugs.debian.org; 19 Apr 2004 03:25:06 +0000
Received: from vagw.valinux.co.jp (enas) [210.128.90.14]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BFPP8-0002tX-00; Sun, 18 Apr 2004 20:25:06 -0700
Received: by enas (Postfix, from userid 1000)
id A18222AF84; Mon, 19 Apr 2004 12:25:05 +0900 (JST)
From: fumihiko kakuma <kakuma@valinux.co.jp>
To: Debian Bug Tracking System <submit@bugs.debian.org>
X-Mailer: reportbug 1.50
Date: Mon, 19 Apr 2004 12:25:05 +0900
Message-Id: <20040419032505.A18222AF84@enas>
X-BadReturnPath: kakuma@enas-devel rewritten as kakuma@valinux.co.jp
using "From" header
Delivered-To: submit@bugs.debian.org
X-CrossAssassin-Score: 1
Resent-Sender: Debian BTS <debbugs@bugs.debian.org>
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
solipsist-nation.suchdamage.org
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham
version=2.63
X-Spam-Level:
MIME-Version: 1.0
Package: libkrb53
Version: 1.3.2-1
Severity: normal
Tags: patch
I found a memory leak in Kerberos 1.3.2 while I was
checking winbindd in the Samba.
We can see the memory leak in following sources.
lib/krb5/krb/gc_frm_kdc.c
I think krb5_get_cred_from_kdc_opt() in this program
will not free area linked a struct tgt in some cases.
Those can see at the following lines.
In the normal case handled on line 313, 318, 357 and 366, local tgt
and last return tgt from krb5_cc_retrieve_cred() may not be freed.
I made the following patches.
===================================================================
diff -urN krb5-1.3.2.orig/src/lib/krb5/krb/gc_frm_kdc.c krb5-1.3.2/src/lib/krb5/krb/gc_frm_kdc.c
--- krb5-1.3.2.orig/src/lib/krb5/krb/gc_frm_kdc.c Thu May 15 03:16:29 2003
+++ krb5-1.3.2/src/lib/krb5/krb/gc_frm_kdc.c Tue Mar 30 11:43:34 2004
@@ -62,6 +62,10 @@
#define FLAGS2OPTS(flags) (flags & KDC_TKT_COMMON_MASK)
+#define TGT_FREE_FLG_INIT 0
+#define TGT_FREE_FLG_FREE_Y 1
+#define TGT_FREE_FLG_FREE_N 2
+
static krb5_error_code
krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, krb5_creds **out_cred, krb5_creds ***tgts, int kdcopt)
{
@@ -69,6 +73,7 @@
int ntgts = 0;
krb5_creds tgt, tgtq, *tgtr = NULL;
+ krb5_creds tgt_tmp_save;
krb5_error_code retval;
krb5_principal int_server = NULL; /* Intermediate server for request */
@@ -77,6 +82,7 @@
krb5_principal *next_server = NULL;
unsigned int nservers = 0;
krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
+ int tgt_free_flg = TGT_FREE_FLG_INIT;
/* in case we never get a TGT, zero the return */
@@ -84,6 +90,7 @@
memset((char *)&tgtq, 0, sizeof(tgtq));
memset((char *)&tgt, 0, sizeof(tgt));
+ memset((char *)&tgt_tmp_save, 0, sizeof(tgt_tmp_save));
/*
* we know that the desired credentials aren't in the cache yet.
@@ -157,6 +164,7 @@
&tgtq, &tgt))) {
goto cleanup;
}
+ tgt_free_flg = TGT_FREE_FLG_FREE_Y;
/* get a list of realms to consult */
@@ -215,6 +223,7 @@
if ((retval = krb5_copy_principal(context, int_server, &tgtq.server)))
goto cleanup;
+ tgt_tmp_save = tgt;
if ((retval = krb5_cc_retrieve_cred(context, ccache,
KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
&tgtq, &tgt))) {
@@ -274,6 +283,7 @@
&tgtq.server)))
goto cleanup;
+ tgt_tmp_save = tgt;
if ((retval = krb5_cc_retrieve_cred(context, ccache,
KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
&tgtq, &tgt))) {
@@ -314,7 +324,16 @@
krb5_free_creds(context, tgtr);
tgtr = NULL;
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y) {
+ krb5_free_cred_contents(context, &tgt);
+ tgt_free_flg = TGT_FREE_FLG_FREE_N;
+ }
tgt = *ret_tgts[ntgts++];
+ } else {
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y)
+ krb5_free_cred_contents(context, &tgt_tmp_save);
+ else
+ tgt_free_flg = TGT_FREE_FLG_FREE_Y;
}
/* got one as close as possible, now start all over */
@@ -358,11 +377,20 @@
krb5_free_creds(context, tgtr);
tgtr = NULL;
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y) {
+ krb5_free_cred_contents(context, &tgt);
+ tgt_free_flg = TGT_FREE_FLG_FREE_N;
+ }
tgt = *ret_tgts[ntgts++];
/* we're done if it is the target */
if (!*next_server++) break;
+ } else {
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y)
+ krb5_free_cred_contents(context, &tgt_tmp_save);
+ else
+ tgt_free_flg = TGT_FREE_FLG_FREE_Y;
}
}
}
@@ -394,6 +422,9 @@
*tgts = NULL;
if (ret_tgts) free(ret_tgts);
krb5_free_cred_contents(context, &tgt);
+ } else {
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y)
+ krb5_free_cred_contents(context, &tgt);
}
context->use_conf_ktypes = old_use_conf_ktypes;
return(retval);
===================================================================
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux enas-devel 2.4.17-xfs #1 SMP Thu Apr 11 13:30:19 JST 2002 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages libkrb53 depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libcomerr2 1.35-3 The Common Error Description libra
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP;
Sun, 18 Apr 2004 23:39:15 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <debbugs@bugs.debian.org>
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by suchdamage.org (Postfix) with ESMTP id 89653131AC
for <hartmans@suchdamage.org>; Sun, 18 Apr 2004 23:39:14 -0400 (EDT)
Received: from spohr.debian.org (spohr.debian.org [128.193.0.4])
i3J3dFxL007009
for <hartmans@mit.edu>; Sun, 18 Apr 2004 23:39:16 -0400 (EDT)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
id 1BFPWq-0003Gp-00; Sun, 18 Apr 2004 20:33:04 -0700
X-Loop: owner@bugs.debian.org
Subject: Bug#244602: libkrb53: memory leak in libkrb5.so.3.2
Reply-To: fumihiko kakuma <kakuma@valinux.co.jp>,
244602@bugs.debian.org
Resent-From: fumihiko kakuma <kakuma@valinux.co.jp>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: Sam Hartman <hartmans@debian.org>
Resent-Date: Mon, 19 Apr 2004 03:33:03 UTC
Resent-Message-ID: <handler.244602.B.108234510611142@bugs.debian.org>
X-Debian-PR-Message: report 244602
X-Debian-PR-Package: libkrb53
X-Debian-PR-Keywords: patch
Received: via spool by submit@bugs.debian.org id=B.108234510611142
(code B ref -1); Mon, 19 Apr 2004 03:33:03 UTC
Received: (at submit) by bugs.debian.org; 19 Apr 2004 03:25:06 +0000
Received: from vagw.valinux.co.jp (enas) [210.128.90.14]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BFPP8-0002tX-00; Sun, 18 Apr 2004 20:25:06 -0700
Received: by enas (Postfix, from userid 1000)
id A18222AF84; Mon, 19 Apr 2004 12:25:05 +0900 (JST)
From: fumihiko kakuma <kakuma@valinux.co.jp>
To: Debian Bug Tracking System <submit@bugs.debian.org>
X-Mailer: reportbug 1.50
Date: Mon, 19 Apr 2004 12:25:05 +0900
Message-Id: <20040419032505.A18222AF84@enas>
X-BadReturnPath: kakuma@enas-devel rewritten as kakuma@valinux.co.jp
using "From" header
Delivered-To: submit@bugs.debian.org
X-CrossAssassin-Score: 1
Resent-Sender: Debian BTS <debbugs@bugs.debian.org>
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
solipsist-nation.suchdamage.org
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham
version=2.63
X-Spam-Level:
MIME-Version: 1.0
Package: libkrb53
Version: 1.3.2-1
Severity: normal
Tags: patch
I found a memory leak in Kerberos 1.3.2 while I was
checking winbindd in the Samba.
We can see the memory leak in following sources.
lib/krb5/krb/gc_frm_kdc.c
I think krb5_get_cred_from_kdc_opt() in this program
will not free area linked a struct tgt in some cases.
Those can see at the following lines.
In the normal case handled on line 313, 318, 357 and 366, local tgt
and last return tgt from krb5_cc_retrieve_cred() may not be freed.
I made the following patches.
===================================================================
diff -urN krb5-1.3.2.orig/src/lib/krb5/krb/gc_frm_kdc.c krb5-1.3.2/src/lib/krb5/krb/gc_frm_kdc.c
--- krb5-1.3.2.orig/src/lib/krb5/krb/gc_frm_kdc.c Thu May 15 03:16:29 2003
+++ krb5-1.3.2/src/lib/krb5/krb/gc_frm_kdc.c Tue Mar 30 11:43:34 2004
@@ -62,6 +62,10 @@
#define FLAGS2OPTS(flags) (flags & KDC_TKT_COMMON_MASK)
+#define TGT_FREE_FLG_INIT 0
+#define TGT_FREE_FLG_FREE_Y 1
+#define TGT_FREE_FLG_FREE_N 2
+
static krb5_error_code
krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, krb5_creds **out_cred, krb5_creds ***tgts, int kdcopt)
{
@@ -69,6 +73,7 @@
int ntgts = 0;
krb5_creds tgt, tgtq, *tgtr = NULL;
+ krb5_creds tgt_tmp_save;
krb5_error_code retval;
krb5_principal int_server = NULL; /* Intermediate server for request */
@@ -77,6 +82,7 @@
krb5_principal *next_server = NULL;
unsigned int nservers = 0;
krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
+ int tgt_free_flg = TGT_FREE_FLG_INIT;
/* in case we never get a TGT, zero the return */
@@ -84,6 +90,7 @@
memset((char *)&tgtq, 0, sizeof(tgtq));
memset((char *)&tgt, 0, sizeof(tgt));
+ memset((char *)&tgt_tmp_save, 0, sizeof(tgt_tmp_save));
/*
* we know that the desired credentials aren't in the cache yet.
@@ -157,6 +164,7 @@
&tgtq, &tgt))) {
goto cleanup;
}
+ tgt_free_flg = TGT_FREE_FLG_FREE_Y;
/* get a list of realms to consult */
@@ -215,6 +223,7 @@
if ((retval = krb5_copy_principal(context, int_server, &tgtq.server)))
goto cleanup;
+ tgt_tmp_save = tgt;
if ((retval = krb5_cc_retrieve_cred(context, ccache,
KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
&tgtq, &tgt))) {
@@ -274,6 +283,7 @@
&tgtq.server)))
goto cleanup;
+ tgt_tmp_save = tgt;
if ((retval = krb5_cc_retrieve_cred(context, ccache,
KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
&tgtq, &tgt))) {
@@ -314,7 +324,16 @@
krb5_free_creds(context, tgtr);
tgtr = NULL;
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y) {
+ krb5_free_cred_contents(context, &tgt);
+ tgt_free_flg = TGT_FREE_FLG_FREE_N;
+ }
tgt = *ret_tgts[ntgts++];
+ } else {
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y)
+ krb5_free_cred_contents(context, &tgt_tmp_save);
+ else
+ tgt_free_flg = TGT_FREE_FLG_FREE_Y;
}
/* got one as close as possible, now start all over */
@@ -358,11 +377,20 @@
krb5_free_creds(context, tgtr);
tgtr = NULL;
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y) {
+ krb5_free_cred_contents(context, &tgt);
+ tgt_free_flg = TGT_FREE_FLG_FREE_N;
+ }
tgt = *ret_tgts[ntgts++];
/* we're done if it is the target */
if (!*next_server++) break;
+ } else {
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y)
+ krb5_free_cred_contents(context, &tgt_tmp_save);
+ else
+ tgt_free_flg = TGT_FREE_FLG_FREE_Y;
}
}
}
@@ -394,6 +422,9 @@
*tgts = NULL;
if (ret_tgts) free(ret_tgts);
krb5_free_cred_contents(context, &tgt);
+ } else {
+ if(tgt_free_flg == TGT_FREE_FLG_FREE_Y)
+ krb5_free_cred_contents(context, &tgt);
}
context->use_conf_ktypes = old_use_conf_ktypes;
return(retval);
===================================================================
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux enas-devel 2.4.17-xfs #1 SMP Thu Apr 11 13:30:19 JST 2002 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages libkrb53 depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libcomerr2 1.35-3 The Common Error Description libra