From krb5-bugs-incoming-bounces@PCH.mit.edu Wed Oct 19 16:43:48 2005
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id QAA24913; Wed, 19 Oct 2005 16:43:48 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JKhApx011908
for <krb5-send-pr@krbdev.mit.edu>; Wed, 19 Oct 2005 16:43:10 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JEsFpx012174
for <krb5-bugs-incoming@PCH.mit.edu>; Wed, 19 Oct 2005 10:54:15 -0400
Received: from mail.avidhosting.com (mail.avidhosting.com [64.4.195.71])
j9JEsGqs017762
for <krb5-bugs@mit.edu>; Wed, 19 Oct 2005 10:54:16 -0400 (EDT)
Received: (qmail 7130 invoked by uid 399); 19 Oct 2005 14:54:15 -0000
Received: from unknown (HELO endian.dyndns.org) (67.184.105.142)
by mail.avidhosting.com with SMTP; 19 Oct 2005 14:54:15 -0000
Received: by endian.dyndns.org (Postfix, from userid 1000)
id 0069117A969; Wed, 19 Oct 2005 09:54:12 -0500 (CDT)
To: krb5-bugs@mit.edu
From: Ed Plese <ed@edplese.com>
X-send-pr-version: 3.99
Message-Id: <20051019145412.0069117A969@endian.dyndns.org>
Date: Wed, 19 Oct 2005 09:54:12 -0500 (CDT)
X-Spam-Score: -0.783
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 19 Oct 2005 16:43:09 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: Ed Plese <ed@edplese.com>
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
System: Linux morpheus 2.6.13-mm1 #1 SMP PREEMPT Wed Sep 7 06:40:46 CDT 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz GenuineIntel GNU/Linux
Architecture: i686
domain member of an Active Directory. Over a few hours of working with
an Active Directory with a few thousand users, winbind would be
using over 1 GB of memory and would need to be restarted.
Running valgrind on winbind showed (among other things) the following
results after running "wbinfo -t" 1000 times.
==31865== 4004 bytes in 1001 blocks are definitely lost in loss record 36 of 44
==31865== at 0x1B9042FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck.so)
==31865== by 0x1B9FF911: krb5_libdefault_string (get_in_tkt.c:716)
==31865== by 0x1B9FFBC3: krb5_get_init_creds (get_in_tkt.c:841)
==31865== by 0x1BA00E0C: krb5_get_init_creds_password (gic_pwd.c:124)
==31865== by 0x1D13FF: kerberos_kinit_password (kerberos.c:91)
==31865== by 0x1BAB95DE: __libc_start_main (in /lib/libc-2.3.4.so)
==31865== by 0x2F090: (within /usr/sbin/winbindd)
The culprit of the leak seems to be krb5_get_init_creds in get_in_tkt.c.
Here is the code starting at line 839:
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
tkt_life = options->tkt_life;
} else if ((ret = krb5_libdefault_string(context, &client->realm,
"ticket_lifetime", &tempstr))
== 0) {
if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) {
free(tempstr);
goto cleanup;
}
} else {
/* this used to be hardcoded in kinit.c */
tkt_life = 24*60*60;
}
The problem is that on success, krb5_string_to_deltat returns 0 and therefore
tempstr is never freed.
This should be able to be fixed by a simple fix as shown below:
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
tkt_life = options->tkt_life;
} else if ((ret = krb5_libdefault_string(context, &client->realm,
"ticket_lifetime", &tempstr))
== 0) {
if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) {
free(tempstr);
goto cleanup;
+ } else {
+ free(tempstr);
}
} else {
/* this used to be hardcoded in kinit.c */
tkt_life = 24*60*60;
}
There also appears to be a problem with the retrieving of the renew_lifetime
configuration parameter in the code directly following the code shown above
(starting at line 856) since the code is very similar to the above code.
I am not familiar with the codebase so the above fix may not be correct and/or
may overlook something. For this reason I haven't even tested this fix and
instead just went with workaround of removing the ticket_lifetime
configuration parameter from krb5.conf.
1. Configure Samba 3 to be an Active Directory domain member server.
2. Run "wbinfo -t" 1000 times. All it really takes is once, but running
it 1000 makes it more noticeable.
configuration parameter from krb5.conf. This avoids the code path that
causes the memory leak.
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id QAA24913; Wed, 19 Oct 2005 16:43:48 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JKhApx011908
for <krb5-send-pr@krbdev.mit.edu>; Wed, 19 Oct 2005 16:43:10 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JEsFpx012174
for <krb5-bugs-incoming@PCH.mit.edu>; Wed, 19 Oct 2005 10:54:15 -0400
Received: from mail.avidhosting.com (mail.avidhosting.com [64.4.195.71])
j9JEsGqs017762
for <krb5-bugs@mit.edu>; Wed, 19 Oct 2005 10:54:16 -0400 (EDT)
Received: (qmail 7130 invoked by uid 399); 19 Oct 2005 14:54:15 -0000
Received: from unknown (HELO endian.dyndns.org) (67.184.105.142)
by mail.avidhosting.com with SMTP; 19 Oct 2005 14:54:15 -0000
Received: by endian.dyndns.org (Postfix, from userid 1000)
id 0069117A969; Wed, 19 Oct 2005 09:54:12 -0500 (CDT)
To: krb5-bugs@mit.edu
From: Ed Plese <ed@edplese.com>
X-send-pr-version: 3.99
Message-Id: <20051019145412.0069117A969@endian.dyndns.org>
Date: Wed, 19 Oct 2005 09:54:12 -0500 (CDT)
X-Spam-Score: -0.783
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 19 Oct 2005 16:43:09 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: Ed Plese <ed@edplese.com>
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: Memory leak parsing ticket_lifetime from krb5.conf.
>Severity: non-critical
>Priority: low
>Category: krb5-libs
>Class: sw-bug
>Release: 1.4.1
>Environment:
OS: Gentoo Linux>Originator:
>Organization:
>Confidential: no
>Synopsis: Memory leak parsing ticket_lifetime from krb5.conf.
>Severity: non-critical
>Priority: low
>Category: krb5-libs
>Class: sw-bug
>Release: 1.4.1
>Environment:
System: Linux morpheus 2.6.13-mm1 #1 SMP PREEMPT Wed Sep 7 06:40:46 CDT 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz GenuineIntel GNU/Linux
Architecture: i686
Show quoted text
>Description:
This particular problem was noticed while running Samba 3 configured as adomain member of an Active Directory. Over a few hours of working with
an Active Directory with a few thousand users, winbind would be
using over 1 GB of memory and would need to be restarted.
Running valgrind on winbind showed (among other things) the following
results after running "wbinfo -t" 1000 times.
==31865== 4004 bytes in 1001 blocks are definitely lost in loss record 36 of 44
==31865== at 0x1B9042FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck.so)
==31865== by 0x1B9FF911: krb5_libdefault_string (get_in_tkt.c:716)
==31865== by 0x1B9FFBC3: krb5_get_init_creds (get_in_tkt.c:841)
==31865== by 0x1BA00E0C: krb5_get_init_creds_password (gic_pwd.c:124)
==31865== by 0x1D13FF: kerberos_kinit_password (kerberos.c:91)
==31865== by 0x1BAB95DE: __libc_start_main (in /lib/libc-2.3.4.so)
==31865== by 0x2F090: (within /usr/sbin/winbindd)
The culprit of the leak seems to be krb5_get_init_creds in get_in_tkt.c.
Here is the code starting at line 839:
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
tkt_life = options->tkt_life;
} else if ((ret = krb5_libdefault_string(context, &client->realm,
"ticket_lifetime", &tempstr))
== 0) {
if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) {
free(tempstr);
goto cleanup;
}
} else {
/* this used to be hardcoded in kinit.c */
tkt_life = 24*60*60;
}
The problem is that on success, krb5_string_to_deltat returns 0 and therefore
tempstr is never freed.
This should be able to be fixed by a simple fix as shown below:
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
tkt_life = options->tkt_life;
} else if ((ret = krb5_libdefault_string(context, &client->realm,
"ticket_lifetime", &tempstr))
== 0) {
if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) {
free(tempstr);
goto cleanup;
+ } else {
+ free(tempstr);
}
} else {
/* this used to be hardcoded in kinit.c */
tkt_life = 24*60*60;
}
There also appears to be a problem with the retrieving of the renew_lifetime
configuration parameter in the code directly following the code shown above
(starting at line 856) since the code is very similar to the above code.
I am not familiar with the codebase so the above fix may not be correct and/or
may overlook something. For this reason I haven't even tested this fix and
instead just went with workaround of removing the ticket_lifetime
configuration parameter from krb5.conf.
Show quoted text
>How-To-Repeat:
I'm sure there are simpler ways, but in my environment I did the following:1. Configure Samba 3 to be an Active Directory domain member server.
2. Run "wbinfo -t" 1000 times. All it really takes is once, but running
it 1000 makes it more noticeable.
Show quoted text
>Fix:
The simple workaround to this problem is to remove the ticket_lifetimeconfiguration parameter from krb5.conf. This avoids the code path that
causes the memory leak.