| Subject: | Uncommon memory leak of err_padata in krb5_init_creds_step() |
The krb5_init_creds_context err_padata field is used internally to a
krb5_init_creds_step() operation. It is populated in
init_creds_step_reply() with a call to krb5int_fast_process_error().
It is released or transferred in some error-handling paths, and is
released when the context is destroyed. If it survives at the end of
a call and another KRB-ERROR message is processed in a subsequent
step operation, it is leaked. This can happen in two cases:
* When a realm referral is received, ctx->err_reply is freed but ctx-
in the new realm, the padata will be leaked.
* If the error padata is used for k5_preauth_tryagain(), ctx-
another KRB-ERROR is received, the padata will be leaked.
krb5_init_creds_step() operation. It is populated in
init_creds_step_reply() with a call to krb5int_fast_process_error().
It is released or transferred in some error-handling paths, and is
released when the context is destroyed. If it survives at the end of
a call and another KRB-ERROR message is processed in a subsequent
step operation, it is leaked. This can happen in two cases:
* When a realm referral is received, ctx->err_reply is freed but ctx-
Show quoted text
>err_padata is not. Realm referral errors do not generally come with
padata, but if they do, and a KRB-ERROR is received on the next query in the new realm, the padata will be leaked.
* If the error padata is used for k5_preauth_tryagain(), ctx-
Show quoted text
>err_padata is not freed during the step call. If
k5_preauth_tryagain() succeeds in producing another request and another KRB-ERROR is received, the padata will be leaked.