[17024] in Kerberos-V5-bugs
[krbdev.mit.edu #9178] krb5_cc_set_config() fails to overwrite
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Mon Jul 7 12:10:57 2025
From: "=?UTF-8?B?U3RlZmZlbiBLaWXDnw==?= via RT"
<rt-comment@kerborg-prod-app-1.mit.edu>
In-Reply-To: <66854a1b-2ff7-4183-b752-1ed990883b07@cis.iti.uni-stuttgart.de>
Message-ID: <rt-4.4.3-2-1168337-1751904650-1441.9178-4-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9178":;
Date: Mon, 07 Jul 2025 12:10:50 -0400
MIME-Version: 1.0
Reply-To: rt-comment@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Mon Jul 07 12:10:50 2025: Request 9178 was acted upon.
Transaction: Ticket created by steffen.kiess@cis.iti.uni-stuttgart.de
Queue: krb5
Subject: krb5_cc_set_config() fails to overwrite existing entries and creates duplicate credential objects
Owner: Nobody
Requestors: steffen.kiess@cis.iti.uni-stuttgart.de
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9178 >
krb5_cc_set_config() fails to overwrite existing entries and creates
duplicate credential objects, at least for FILE:, MEMORY: and KCM: (with
Heimdal kcm) CCs. This can cause the CC to be filled hundreds of
"refresh_time" entries (which can be seen e.g. with "klist -AC".)
This is probably related to
<https://github.com/krb5/krb5/commit/c0a51fe0c8051e27c6cee4f4f0c705356a715e1e>.
The following code demonstrates the problem:
#include <stdio.h>
#include <string.h>
#include <krb5.h>
int main() {
krb5_context context;
if (krb5_init_context(&context)) abort();
const char* cname = "FILE:/tmp/test-cache";
// const char* cname = "KCM:1000:12345";
// const char* cname = "MEMORY:";
// const char* cname = "KEYRING:";
// Create credential cache
krb5_ccache cache;
if (krb5_cc_resolve(context, cname, &cache)) abort();
krb5_principal princ;
if (krb5_build_principal(context, &princ, 5, "REALM", "user", NULL))
abort();
if (krb5_cc_initialize(context, cache, princ)) abort();
// Set config "test" to "foo"
krb5_data data;
data.data = "foo";
data.length = 3;
if (krb5_cc_set_config(context, cache, NULL, "test", &data)) abort();
// Read config "test"
if (krb5_cc_get_config(context, cache, NULL, "test", &data)) abort();
{
char* data2 = malloc(data.length + 1);
if (!data2) abort();
memcpy(data2, data.data, data.length);
data2[data.length] = 0;
printf("krb5_cc_get_config: '%s'\n", data2);
}
// Set config "test" to "foo2"
data.data = "foo2";
data.length = 4;
if (krb5_cc_set_config(context, cache, NULL, "test", &data)) abort();
// Read config "test"
if (krb5_cc_get_config(context, cache, NULL, "test", &data)) abort();
{
char* data2 = malloc(data.length + 1);
if (!data2) abort();
memcpy(data2, data.data, data.length);
data2[data.length] = 0;
printf("krb5_cc_get_config: '%s'\n", data2);
}
// Print entries in cache
krb5_cc_cursor cursor;
if (krb5_cc_start_seq_get(context, cache, &cursor)) abort();
for (;;) {
krb5_creds creds;
if (krb5_cc_next_cred(context, cache, &cursor, &creds)) break;
char* data2 = malloc(creds.ticket.length + 1);
if (!data2) abort();
memcpy(data2, creds.ticket.data, creds.ticket.length);
data2[creds.ticket.length] = 0;
printf("Got: '%s'\n", data2);
}
}
The output on my system is:
krb5_cc_get_config: 'foo'
krb5_cc_get_config: 'foo'
Got: 'foo'
Got: 'foo2'
It should be:
krb5_cc_get_config: 'foo'
krb5_cc_get_config: 'foo2'
Got: 'foo2'
This affects the current git master (and probably krb5 versions going
back more than a decade).
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
