Skip Menu |
 

From: Bean Zhang <bean.zhang@centrify.com>
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Subject: Resource leak in krb5_524_conv_principal()
Date: Fri, 15 Jun 2018 03:39:08 +0000
Hi Team,

In krb5-1.16.1/src/lib/krb5/krb/conv_princ.c, 
krb5_524_conv_principal() calls profile_get_string() which allocates memory and stores into temp_realm,
but later if (tmp_realm_len > REALM_SZ - 1), before "return KRB5_INVALID_PRINCIPAL", does not free the storage temp_realm points to. 

The fix is simple, just call "profile_release_string(tmp_realm);" before "return KRB5_INVALID_PRINCIPAL".

Could someone help to take a look?

Thanks,
Bean
From: ghudson@mit.edu
Subject: git commit

Fix minor leaks in principal conversions

In krb5_524_conv_principal(), if the realm we read from the profile is
too long for the result buffer, free the profile value before
returning.

In krb5_425_conv_principal(), if krb5_get_realm_domain() fails, still
free any leftover allocated data using a cleanup label. The only one
that could be left over is dummy_value which we could address easily
enough within the loop, but we shouldn't sidestep the cleanup code.

Both bugs were reported by Bean Zhang.

https://github.com/krb5/krb5/commit/971c5213f7c501d3943bc0ff8db918f1616aa35a
Author: Greg Hudson <ghudson@mit.edu>
Commit: 971c5213f7c501d3943bc0ff8db918f1616aa35a
Branch: master
src/lib/krb5/krb/conv_princ.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)