From papowell@dickory.sdsu.edu Mon Jan 27 14:36:58 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA03144 for <bugs@RT-11.MIT.EDU>; Mon, 27 Jan 1997 14:36:58 -0500
Received: from dickory.sdsu.edu by MIT.EDU with SMTP
id AA14181; Mon, 27 Jan 97 14:36:54 EST
Received: (from papowell@localhost) by dickory.sdsu.edu (8.8.3/8.8.2) id LAA26576; Mon, 27 Jan 1997 11:34:51 -0800 (PST)
Message-Id: <199701271934.LAA26576@dickory.sdsu.edu>
Date: Mon, 27 Jan 1997 11:34:51 -0800 (PST)
From: Patrick Powell <papowell@dickory.sdsu.edu>
Reply-To: papowell@dickory.sdsu.edu
To: krb5-bugs@MIT.EDU
Subject: krb5_sendauth: freeing returned creds structure
X-Send-Pr-Version: 3.99
Dept. Electrical and Computer Engineering,
San Diego State University,
San Diego, CA 92182-1309
Office (619) 594-7796; Lab (619) 594-7578 FAX (619) 594-7577
email: papowell@sdsu.edu
System: SunOS dickory 4.1.4 2 sun4m
Architecture: sun4
src/lib/krb5/krb/sendauth.b
krb5_sendauth(context, auth_context,
/* IN */
fd, appl_version, client, server, ap_req_options, in_data,
in_creds,
/* IN/OUT */
ccache,
/* OUT */
error, rep_result, out_creds)
krb5_context context;
krb5_auth_context * auth_context;
krb5_pointer fd;
char * appl_version;
krb5_principal client;
krb5_principal server;
krb5_flags ap_req_options;
krb5_data * in_data;
krb5_creds * in_creds;
krb5_ccache ccache;
krb5_error ** error;
krb5_ap_rep_enc_part ** rep_result;
krb5_creds ** out_creds;
out_creds is used to return the credentials to the caller.
At the end of the routine, we have the following:
retval = 0; /* Normal return */
if (out_creds) {
*out_creds = credsp; <--- returned to user value
}
error_return:
krb5_free_cred_contents(context, &creds);
if (credspout) <<<<<<<<<<<<<<<<<<<<
krb5_free_creds(context, credspout); <<<<<<<< whoops! we free this.
if (!ccache && use_ccache)
krb5_cc_close(context, use_ccache);
return(retval);
}
We should not free the credentials if they are returned.
*** sendauth.c Mon Jan 27 11:28:12 1997
--- sendauth.c.orig Mon Jan 27 11:28:09 1997
***************
*** 218,224 ****
error_return:
krb5_free_cred_contents(context, &creds);
! if ( !out_creds && credspout)
krb5_free_creds(context, credspout);
if (!ccache && use_ccache)
krb5_cc_close(context, use_ccache);
--- 218,224 ----
error_return:
krb5_free_cred_contents(context, &creds);
! if (credspout)
krb5_free_creds(context, credspout);
if (!ccache && use_ccache)
krb5_cc_close(context, use_ccache);
State-Changed-From-To: closed-feedback
State-Changed-By: tlyu
State-Changed-When: Wed Feb 12 16:00:52 1997
State-Changed-Why:
Re-opening... we shouldn't close this until patchlevel 1 goes out
because we need to reference the file version.
Responsible-Changed-From-To: basch->probe
Responsible-Changed-By: probe
Responsible-Changed-When: Tue Apr 1 19:53:51 1997
Responsible-Changed-Why:
State-Changed-From-To: feedback-closed
State-Changed-By: tlyu
State-Changed-When: Fri May 30 15:55:11 1997
State-Changed-Why:
1.0pl1 has been released
krb5_sendauth frees credentials even when returned to user
critical
high
krb5-libs
sw-bug
[Feb 07 1997 - basch]
I concur that this code fragment is indeed in error, and have patched
the mainline source tree. The patch should be included in the 1.1
release. [Also queued for 1.0 patch1]
Patched files:
src/lib/krb5/krb/sendauth.c 5.29
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA03144 for <bugs@RT-11.MIT.EDU>; Mon, 27 Jan 1997 14:36:58 -0500
Received: from dickory.sdsu.edu by MIT.EDU with SMTP
id AA14181; Mon, 27 Jan 97 14:36:54 EST
Received: (from papowell@localhost) by dickory.sdsu.edu (8.8.3/8.8.2) id LAA26576; Mon, 27 Jan 1997 11:34:51 -0800 (PST)
Message-Id: <199701271934.LAA26576@dickory.sdsu.edu>
Date: Mon, 27 Jan 1997 11:34:51 -0800 (PST)
From: Patrick Powell <papowell@dickory.sdsu.edu>
Reply-To: papowell@dickory.sdsu.edu
To: krb5-bugs@MIT.EDU
Subject: krb5_sendauth: freeing returned creds structure
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 357
>Category: krb5-libs
>Synopsis: krb5_sendauth returning freed creds
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: probe
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Jan 27 14:37:01 EST 1997
>Last-Modified: Fri May 30 15:55:24 EDT 1997
>Originator: Patrick Powell
>Organization:
Prof. Patrick Powell>Category: krb5-libs
>Synopsis: krb5_sendauth returning freed creds
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: probe
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Jan 27 14:37:01 EST 1997
>Last-Modified: Fri May 30 15:55:24 EDT 1997
>Originator: Patrick Powell
>Organization:
Dept. Electrical and Computer Engineering,
San Diego State University,
San Diego, CA 92182-1309
Office (619) 594-7796; Lab (619) 594-7578 FAX (619) 594-7577
email: papowell@sdsu.edu
Show quoted text
>Release: 1.0
>Environment:
<machine, os, target, libraries (multiple lines)>>Environment:
System: SunOS dickory 4.1.4 2 sun4m
Architecture: sun4
Show quoted text
>Description:
<precise description of the problem (multiple lines)>src/lib/krb5/krb/sendauth.b
krb5_sendauth(context, auth_context,
/* IN */
fd, appl_version, client, server, ap_req_options, in_data,
in_creds,
/* IN/OUT */
ccache,
/* OUT */
error, rep_result, out_creds)
krb5_context context;
krb5_auth_context * auth_context;
krb5_pointer fd;
char * appl_version;
krb5_principal client;
krb5_principal server;
krb5_flags ap_req_options;
krb5_data * in_data;
krb5_creds * in_creds;
krb5_ccache ccache;
krb5_error ** error;
krb5_ap_rep_enc_part ** rep_result;
krb5_creds ** out_creds;
out_creds is used to return the credentials to the caller.
At the end of the routine, we have the following:
retval = 0; /* Normal return */
if (out_creds) {
*out_creds = credsp; <--- returned to user value
}
error_return:
krb5_free_cred_contents(context, &creds);
if (credspout) <<<<<<<<<<<<<<<<<<<<
krb5_free_creds(context, credspout); <<<<<<<< whoops! we free this.
if (!ccache && use_ccache)
krb5_cc_close(context, use_ccache);
return(retval);
}
We should not free the credentials if they are returned.
Show quoted text
>How-To-Repeat:
<code/input/activities to reproduce the problem (multiple lines)>Show quoted text
>Fix:
<how to correct or work around the problem, if known (multiple lines)>*** sendauth.c Mon Jan 27 11:28:12 1997
--- sendauth.c.orig Mon Jan 27 11:28:09 1997
***************
*** 218,224 ****
error_return:
krb5_free_cred_contents(context, &creds);
! if ( !out_creds && credspout)
krb5_free_creds(context, credspout);
if (!ccache && use_ccache)
krb5_cc_close(context, use_ccache);
--- 218,224 ----
error_return:
krb5_free_cred_contents(context, &creds);
! if (credspout)
krb5_free_creds(context, credspout);
if (!ccache && use_ccache)
krb5_cc_close(context, use_ccache);
Show quoted text
>Audit-Trail:
State-Changed-From-To: closed-feedback
State-Changed-By: tlyu
State-Changed-When: Wed Feb 12 16:00:52 1997
State-Changed-Why:
Re-opening... we shouldn't close this until patchlevel 1 goes out
because we need to reference the file version.
Responsible-Changed-From-To: basch->probe
Responsible-Changed-By: probe
Responsible-Changed-When: Tue Apr 1 19:53:51 1997
Responsible-Changed-Why:
State-Changed-From-To: feedback-closed
State-Changed-By: tlyu
State-Changed-When: Fri May 30 15:55:11 1997
State-Changed-Why:
1.0pl1 has been released
Show quoted text
>Unformatted:
nokrb5_sendauth frees credentials even when returned to user
critical
high
krb5-libs
sw-bug
[Feb 07 1997 - basch]
I concur that this code fragment is indeed in error, and have patched
the mainline source tree. The patch should be included in the 1.1
release. [Also queued for 1.0 patch1]
Patched files:
src/lib/krb5/krb/sendauth.c 5.29