Skip Menu |
 

Date: Thu, 29 Jun 2006 17:50:43 -0600
From: "Shawn M. Emery" <Shawn.Emery@Sun.COM>
Subject: krb5_get_server_rcache double free
To: krb5-bugs@mit.edu
Download (untitled) / with headers
text/plain 1.1KiB

The fix for:
[krbdev.mit.edu #3924] the krb5_get_server_rcache routine frees

is not complete (listed here for convenience):

src/lib/krb5/krb/srv_rcache.c 22 Jun 2006 15:26:59 -0000 1.1.1.1.12.1
@@ -115,17 +115,13 @@
retval = krb5_rc_recover_or_initialize(context, rcache, context->clockskew);
if (retval) {
krb5_rc_close(context, rcache);
- rcache = 0;
goto cleanup;
}

*rcptr = rcache;
- rcache = 0;
retval = 0;

cleanup:
- if (rcache)
- krb5_xfree(rcache);
if (cachename)
krb5_xfree(cachename);
return retval;

---
When krb5_rc_recover_or_initialize() returns failure, rcache now leaks.

We know that krb5_rc_resolve_full() frees rcache after failure, we just
need to set rcache to NULL so that we don't double free. Suggested fix
(diffs based on 1.5-alpha1):

src/lib/krb5/krb/srv_rcache.c:
@@ -103,12 +103,14 @@
#endif

cachename[p++] = '\0';

retval = krb5_rc_resolve_full(context, &rcache, cachename);
- if (retval)
+ if (retval) {
+ rcache = 0;
goto cleanup;
+ }

/*
* First try to recover the replay cache; if that doesn't work,
* initialize it.
*/

Shawn.
--
From: tlyu@mit.edu
Subject: SVN Commit
* src/lib/krb5/krb/srv_rcache.c (krb5_get_server_rcache): Adapted
patch from Shawn Emery to set rcache = 0 in case of
krb5_rc_resolve_full failure because krb5_rc_resolve_full frees
but doesn't null rcache. Also restore free of rcache in cleanup
code. Continue to not null rcache in failure on
krb5_rc_recover_or_initialize because krb5_rc_close doesn't free
rcache.

Commit By: tlyu



Revision: 18283
Changed Files:
U trunk/src/lib/krb5/krb/srv_rcache.c
From: tlyu@mit.edu
Subject: SVN Commit
pull up r18283 from trunk

r18283@cathode-dark-space: tlyu | 2006-06-29 23:57:20 -0400
ticket: 3962
tags: pullup

* src/lib/krb5/krb/srv_rcache.c (krb5_get_server_rcache): Adapted
patch from Shawn Emery to set rcache = 0 in case of
krb5_rc_resolve_full failure because krb5_rc_resolve_full frees
but doesn't null rcache. Also restore free of rcache in cleanup
code. Continue to not null rcache in failure on
krb5_rc_recover_or_initialize because krb5_rc_close doesn't free
rcache.



Commit By: tlyu



Revision: 18284
Changed Files:
_U branches/krb5-1-5/
U branches/krb5-1-5/src/lib/krb5/krb/srv_rcache.c
From: tlyu@mit.edu
Subject: SVN Commit
* src/lib/krb5/krb/srv_rcache.c (krb5_get_server_rcache):
Oops, krb5_rc_close actually does free rcache, so actually do null
rcache on error from krb5_rc_recover_or_initialize. Thanks to
Shawn Emery for noticing.

Commit By: tlyu



Revision: 18286
Changed Files:
U trunk/src/lib/krb5/krb/srv_rcache.c
From: tlyu@mit.edu
Subject: SVN Commit
pull up r18286 from trunk

r18286@cathode-dark-space: tlyu | 2006-06-30 01:59:46 -0400
ticket: 3962

* src/lib/krb5/krb/srv_rcache.c (krb5_get_server_rcache):
Oops, krb5_rc_close actually does free rcache, so actually do null
rcache on error from krb5_rc_recover_or_initialize. Thanks to
Shawn Emery for noticing.



Commit By: tlyu



Revision: 18290
Changed Files:
_U branches/krb5-1-5/
U branches/krb5-1-5/src/lib/krb5/krb/srv_rcache.c
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #3962] krb5_get_server_rcache double free
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 06 Jul 2006 17:52:07 -0400
RT-Send-Cc:
Upon further analysis, I conclude that the patch submitted with in
this bug report is functionally identical to the patch submitted in
ticket #3924. Both patches are against a common ancestor, and both
patches resolve the double-free issue without creating a memory leak.