Skip Menu |
 

Subject: ccache double free in krb5_fcc_read_addrs().
Download (untitled) / with headers
text/plain 1.5KiB
In krb5_fcc_read_addrs(), we have:

kret = krb5_fcc_read_addr(context, id, (*addrs)[i]);
CHECK(kret);

in the loop. If krb5_fcc_read_addr() fails, then it will free
it's allocated memory addr->contents while leaving addr->contents as
a non-NULL ptr. krb5_fcc_read_addrs() then calls

errout:
if (*addrs)
krb5_free_addresses(context, *addrs);
return kret;

which will attempt to free the addr->contents which has already been
freed.

To patch, probably zero out the addr->contents after the free.

This is not the only occurance in this file. A quick inspection yields:

retrieving revision 1.3
diff -u -r1.3 cc_file.c
--- cc_file.c 16 Aug 2005 21:58:51 -0000 1.3
+++ cc_file.c 17 Nov 2006 04:07:31 -0000
@@ -549,6 +549,7 @@
errout:
if (*addrs)
krb5_free_addresses(context, *addrs);
+ *addrs = NULL;
return kret;
}

@@ -597,6 +598,7 @@
errout:
if (keyblock->contents)
krb5_xfree(keyblock->contents);
+ keyblock->contents = NULL;
return kret;
}

@@ -680,6 +682,7 @@
errout:
if (addr->contents)
krb5_xfree(addr->contents);
+ addr->contents = NULL;
return kret;
}

@@ -816,6 +819,7 @@
errout:
if (*a)
krb5_free_authdata(context, *a);
+ *a = NULL;
return kret;
}

@@ -858,6 +862,7 @@
errout:
if (a->contents)
krb5_xfree(a->contents);
+ a->contents = NULL;
return kret;

}
cvs diff: Diffing ccapi

As likely problems as well.

I would suggest also NULLing out all free(3)d data in krb5/krb/kfree.c.
That would solve the problem centrally.
From: tlyu@mit.edu
Subject: SVN Commit
* src/lib/krb5/ccache/cc_file.c: Adapted patch from Roland
Dowdeswell to avoid possible double-free conditions on certain
errors.

Commit By: tlyu



Revision: 18897
Changed Files:
U trunk/src/lib/krb5/ccache/cc_file.c
From: tlyu@mit.edu
Subject: SVN Commit
pull up r18897 from trunk

r18897@cathode-dark-space: tlyu | 2006-12-01 15:57:04 -0500
ticket: 4788
tags: pullup
target_version: 1.6
component: krb5-libs

* src/lib/krb5/ccache/cc_file.c: Adapted patch from Roland
Dowdeswell to avoid possible double-free conditions on certain
errors.



Commit By: tlyu



Revision: 18899
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/ccache/cc_file.c