Ticket History #9016: Memory leak in krb5_gss_inquire

# Fri Jul 16 12:01:58 2021 Sergio Gelato <Sergio.Gelato@astro.su.se> - Ticket created

From:	"Sergio Gelato" <Sergio.Gelato@astro.su.se>
Subject:	Memory leak in krb5_gss_inquire_cred
To:	krb5-bugs@mit.edu
Date:	Fri, 16 Jul 2021 12:31:19 +0200

Download (untitled) / with headers
text/plain 328B

(I reported this one to Debian yesterday, #991140 there, but since you still
accept bug reports from people without a GitHub account and it seems to be
still unfixed in master, here it is directly.)

krb5_gss_inquire_cred() doesn't release the default credential on success
when called with GSS_C_NO_CREDENTIAL. Patch attached.

Download fix-inq_cred-leak.patch
text/x-diff 1KiB

Message body is not shown because sender requested not to inline it.

# Fri Jul 16 12:13:09 2021 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/html 888B

This bug was introduced in commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 ("Make gss-krb5 use cache collection"). In the previous code, cred could be an owner pointer or a casted alias to cred_handle, and the default cred was freed with "if (cred_handle == NULL) krb5_gss_release_cred(minor_status, &cred)" along the success and failure paths. The aforementioned commit cleans this up by introducing defcred as the owner pointer for the obtained default credential; however, it neglected to update the freeing code along the success path. Since the new code also reassigns cred_handle when obtaining a default cred, the old code does not trigger and the default credential is not freed.

It looks like it should be possible to unify the success and failure paths, and I may do that rather than make the trivial fix.

# Wed Jul 21 12:05:07 2021 ghudson@mit.edu (Greg Hudson) - Taken

# Wed Jul 21 12:05:07 2021 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'

# Wed Jul 21 12:05:07 2021 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Wed Jul 21 12:05:07 2021 ghudson@mit.edu (Greg Hudson) - Target_Version 1.19-next added

# Wed Jul 21 12:05:07 2021 ghudson@mit.edu (Greg Hudson) - Target_Version 1.18-next added

# Wed Jul 21 12:05:07 2021 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 876B

Fix defcred leak in krb5 gss_inquire_cred()

Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path. The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.

Unify the success and failure cleanup for this function so that
defcred is properly released on success.

Reported by Pavel Březina.

https://github.com/krb5/krb5/commit/593e16448e1af23eef74689afe06a7bcc86e79c7
Author: Greg Hudson <ghudson@mit.edu>
Commit: 593e16448e1af23eef74689afe06a7bcc86e79c7
Branch: master
src/lib/gssapi/krb5/inq_cred.c | 16 ++++++----------
1 files changed, 6 insertions(+), 10 deletions(-)

# Wed Jul 21 14:32:08 2021 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.18.4 added

# Wed Jul 21 14:32:08 2021 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 836B

Fix defcred leak in krb5 gss_inquire_cred()

Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path. The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.

Reported by Pavel Březina.

(a minimal alternative to commit 593e16448e1af23eef74689afe06a7bcc86e79c7)

https://github.com/krb5/krb5/commit/b92be484630b38e26f5ee4bd67973fbd7627009c
Author: Greg Hudson <ghudson@mit.edu>
Commit: b92be484630b38e26f5ee4bd67973fbd7627009c
Branch: krb5-1.18
src/lib/gssapi/krb5/inq_cred.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)

# Wed Jul 21 14:32:26 2021 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.19.2 added

# Wed Jul 21 14:32:26 2021 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 836B

Fix defcred leak in krb5 gss_inquire_cred()

Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path. The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.

Reported by Pavel Březina.

(a minimal alternative to commit 593e16448e1af23eef74689afe06a7bcc86e79c7)

https://github.com/krb5/krb5/commit/098f874f3b50dd2c46c0a574677324b5f6f3a1a8
Author: Greg Hudson <ghudson@mit.edu>
Commit: 098f874f3b50dd2c46c0a574677324b5f6f3a1a8
Branch: krb5-1.19
src/lib/gssapi/krb5/inq_cred.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)

# Wed Jul 21 14:33:03 2021 ghudson@mit.edu (Greg Hudson) - Tags pullup deleted

Ticket History #9016: Memory leak in krb5_gss_inquire_cred