Ticket History #3924: the krb5_get_server_rcache routine frees already freed memory in error path

From krb5-bugs-incoming-bounces@PCH.mit.edu Thu Jun 22 15:24:48 2006
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id PAA14927; Thu, 22 Jun 2006 15:24:48 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5MJOIFw025275
for <krb5-send-pr@krbdev.mit.edu>; Thu, 22 Jun 2006 15:24:18 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k5MFlGD9014360
for <krb5-bugs-incoming@PCH.mit.edu>; Thu, 22 Jun 2006 11:47:16 -0400
Received: from skamandros.sncag.com ([217.111.56.2])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
k5MFl5Vo015803
for <krb5-bugs@mit.edu>; Thu, 22 Jun 2006 11:47:11 -0400 (EDT)
Received: from skamandros.sncag.com (localhost [127.0.0.1])
by skamandros.sncag.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id
k5MFkxQQ006100
for <krb5-bugs@mit.edu>; Thu, 22 Jun 2006 17:46:59 +0200
Received: (from rw@localhost)
by skamandros.sncag.com (8.13.4/8.13.4/Submit) id k5MFkxks006097;
Thu, 22 Jun 2006 17:46:59 +0200
Date: Thu, 22 Jun 2006 17:46:59 +0200
From: Rainer Weikusat <rainer.weikusat@sncag.com>
Message-Id: <200606221546.k5MFkxks006097@skamandros.sncag.com>
To: krb5-bugs@mit.edu
Subject: double-free in srv_rcache.c
X-send-pr-version: 3.99
X-Spam-Score: 0
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Thu, 22 Jun 2006 15:24:17 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


SNC AG

System: Linux skamandros 2.6.16.18 #5 SMP Tue May 30 13:42:31 CEST 2006 i686 GNU/Linux
Architecture: i686

The krb5_get_server_rcache routine in src/lib/krb5/krb has a local
variable named rcache which is freed before returning to the caller
if its value is not a null pointer. The krb5_rc_resolve_full routine
(in src/lib/krb5/rcache/rc_base.c) which is called by
krb5_get_server_rcache towards the end (l. 107) allocates memory for
a krb5 rcache descriptor structure and store the corresponding
address at the location its parameter id points to. When called from
krb5_get_server_rcache, this is the address of the rcache variable.
If the type cannot be resolved (eg because hasn't been registered),
the memory is freed but the already initialized pointer is not
cleared, which causes the calling routine to attempt to free it
for a second time.
Use the KRB5RCACHETYPE variable to request using a replay cache
type unknown to the Kerberos library.
--- kerberos-srv-rcache-fix/src/lib/krb5/krb/srv_rcache.c 19 Mar 2006 14:42:00 -0000 1.1.1.1
+++ kerberos-srv-rcache-fix/src/lib/krb5/krb/srv_rcache.c 22 Jun 2006 15:26:59 -0000 1.1.1.1.12.1
@@ -115,17 +115,13 @@
retval = krb5_rc_recover_or_initialize(context, rcache, context->clockskew);
if (retval) {
krb5_rc_close(context, rcache);
- rcache = 0;
goto cleanup;
}

*rcptr = rcache;
- rcache = 0;
retval = 0;

cleanup:
- if (rcache)
- krb5_xfree(rcache);
if (cachename)
krb5_xfree(cachename);
return retval;

* src/lib/krb5/krb/srv_rcache.c (krb5_get_server_rcache): Apply
patch from Rainer Weikusat to avoid double-free when
rc_resolve_full() fails due to misconfiguration.

Commit By: tlyu



Revision: 18206
Changed Files:
U trunk/src/lib/krb5/krb/srv_rcache.c

pull up r18206 from trunk

r18206@cathode-dark-space: tlyu | 2006-06-22 18:23:02 -0400
ticket: 3924
tags: pullup

* src/lib/krb5/krb/srv_rcache.c (krb5_get_server_rcache): Apply
patch from Rainer Weikusat to avoid double-free when
rc_resolve_full() fails due to misconfiguration.


Commit By: tlyu



Revision: 18221
Changed Files:
U branches/krb5-1-5/src/lib/krb5/krb/srv_rcache.c