[1030] in Kerberos-V5-bugs
"client_server_info.client" mishandled
daemon@ATHENA.MIT.EDU (Jim Miller)
Tue Jan 3 16:48:13 1995
From: jim@bilbo.suite.com (Jim Miller)
Date: Tue, 3 Jan 95 15:47:51 -0600
To: krb5-bugs@MIT.EDU
Reply-To: Jim_Miller@suite.com
This bug report is for KRB5, beta 4, patchlevel 3.
In the function "adm_mod_old_key" (file adm_adm_func), near the bottom of
the "for" loop, there is the following line:
entry.mod_name = client_server_info.client;
Eventually the following line is executed, either upon exit from the "for"
loop, or because an error returned from a function call.
krb5_db_free_principal(&entry, nprincs);
This call will free the memory used by "client_server_info.client". You
might think this was a prelude to a double free of
"client_server_info.client". However, I can't find any place in the
kadmin/server code that frees "client_server_info.client".
Solution: There's two problems here; first, "client_server_info.client"
is not being freed. Therefore, put in a call to
krb5_free_principal(client_server_info.client);
near the end of "process_client" (server/adm_process). Second, in
"adm_mod_old_key", replace
entry.mod_name = client_server_info.client;
with
krb5_copy_principal(client_server_info.client, &entry.mod_name);
I realize that "process_client" doesn't really need to free all of its
stuff because it normally runs in a short-lived child process. However,
it does cause memory leaks if you run kadmin in debug mode for any length
of time. Besides, it's the right thing to do. :-)
Jim_Miller@suite.com
P.S. Also in "process_client", "client_auth_data" and "client_creds" are
not freed.
