Skip Menu |
 

From: Daniel Yeh <D.Yeh@f5.com>
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Subject: Replay Cache FD Leak
Date: Thu, 24 Jan 2019 18:52:08 +0000
Download (untitled) / with headers
text/plain 1.1KiB

Hello,

 

We use krb5 lib v1.10.3 in our product. Recently, one of our customers ran into a replay cache file descriptor leak issue in that there were many opened but deleted replay cache temp files staying around for days. For instance,

 

--------

Jan  7 13:44:28   fd 1220 (/shared/tmp/krb5_RCB8Wi7X (deleted)) : cloexec,  Fflags[0x8002], read-write

Jan 11 09:25:40  fd 1220 (/shared/tmp/krb5_RCB8Wi7X (deleted)) : cloexec,  Fflags[0x8002], read-write

--------

Jan  8 15:33:17  fd 1529 (/shared/tmp/krb5_RCGIGQ1X (deleted)) : cloexec,  Fflags[0x8002], read-write

Jan 11 09:25:40  fd 1529 (/shared/tmp/krb5_RCGIGQ1X (deleted)) : cloexec,  Fflags[0x8002], read-write

--------

Jan  9 12:05:14  fd 355 (/shared/tmp/krb5_RCG6JmM9 (deleted)) : cloexec,  Fflags[0x8002], read-write

Jan 11 09:25:40  fd 355 (/shared/tmp/krb5_RCG6JmM9 (deleted)) : cloexec,  Fflags[0x8002], read-write

 

Someone encountered the same issue with v1.10.3 and upgrading to v1.14.5 did not help (https://groups.google.com/forum/#!searchin/comp.protocols.kerberos/leak%7Csort:date/comp.protocols.kerberos/pN4QCVcEMWc/xYMDKrLuBgAJ).

 

We were wondering if there is a solution to or a workaround for this issue.

 

TIA,

Daniel

 

 

So far I haven't been able to find a leak in the replay cache code, and
I can't find records of how previous reports of this kind of issue were
resolved.

Note that each GSS acceptor credential handle (if it contains a krb5
credential) holds a replay cache handle, which holds an open file
descriptor. So if the application is leaking GSS credential handles,
it would manifest as an fd leak in the process.