Subject: | ccache double free in krb5_fcc_read_addrs(). |
In krb5_fcc_read_addrs(), we have:
kret = krb5_fcc_read_addr(context, id, (*addrs)[i]);
CHECK(kret);
in the loop. If krb5_fcc_read_addr() fails, then it will free
it's allocated memory addr->contents while leaving addr->contents as
a non-NULL ptr. krb5_fcc_read_addrs() then calls
errout:
if (*addrs)
krb5_free_addresses(context, *addrs);
return kret;
which will attempt to free the addr->contents which has already been
freed.
To patch, probably zero out the addr->contents after the free.
This is not the only occurance in this file. A quick inspection yields:
retrieving revision 1.3
diff -u -r1.3 cc_file.c
--- cc_file.c 16 Aug 2005 21:58:51 -0000 1.3
+++ cc_file.c 17 Nov 2006 04:07:31 -0000
@@ -549,6 +549,7 @@
errout:
if (*addrs)
krb5_free_addresses(context, *addrs);
+ *addrs = NULL;
return kret;
}
@@ -597,6 +598,7 @@
errout:
if (keyblock->contents)
krb5_xfree(keyblock->contents);
+ keyblock->contents = NULL;
return kret;
}
@@ -680,6 +682,7 @@
errout:
if (addr->contents)
krb5_xfree(addr->contents);
+ addr->contents = NULL;
return kret;
}
@@ -816,6 +819,7 @@
errout:
if (*a)
krb5_free_authdata(context, *a);
+ *a = NULL;
return kret;
}
@@ -858,6 +862,7 @@
errout:
if (a->contents)
krb5_xfree(a->contents);
+ a->contents = NULL;
return kret;
}
cvs diff: Diffing ccapi
As likely problems as well.
I would suggest also NULLing out all free(3)d data in krb5/krb/kfree.c.
That would solve the problem centrally.
kret = krb5_fcc_read_addr(context, id, (*addrs)[i]);
CHECK(kret);
in the loop. If krb5_fcc_read_addr() fails, then it will free
it's allocated memory addr->contents while leaving addr->contents as
a non-NULL ptr. krb5_fcc_read_addrs() then calls
errout:
if (*addrs)
krb5_free_addresses(context, *addrs);
return kret;
which will attempt to free the addr->contents which has already been
freed.
To patch, probably zero out the addr->contents after the free.
This is not the only occurance in this file. A quick inspection yields:
retrieving revision 1.3
diff -u -r1.3 cc_file.c
--- cc_file.c 16 Aug 2005 21:58:51 -0000 1.3
+++ cc_file.c 17 Nov 2006 04:07:31 -0000
@@ -549,6 +549,7 @@
errout:
if (*addrs)
krb5_free_addresses(context, *addrs);
+ *addrs = NULL;
return kret;
}
@@ -597,6 +598,7 @@
errout:
if (keyblock->contents)
krb5_xfree(keyblock->contents);
+ keyblock->contents = NULL;
return kret;
}
@@ -680,6 +682,7 @@
errout:
if (addr->contents)
krb5_xfree(addr->contents);
+ addr->contents = NULL;
return kret;
}
@@ -816,6 +819,7 @@
errout:
if (*a)
krb5_free_authdata(context, *a);
+ *a = NULL;
return kret;
}
@@ -858,6 +862,7 @@
errout:
if (a->contents)
krb5_xfree(a->contents);
+ a->contents = NULL;
return kret;
}
cvs diff: Diffing ccapi
As likely problems as well.
I would suggest also NULLing out all free(3)d data in krb5/krb/kfree.c.
That would solve the problem centrally.