[2648] in Kerberos-V5-bugs
pending/357:
daemon@ATHENA.MIT.EDU (Patrick Powell)
Mon Jan 27 14:37:42 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, papowell@dickory.sdsu.edu
Date: Mon, 27 Jan 1997 11:34:51 -0800 (PST)
From: Patrick Powell <papowell@dickory.sdsu.edu>
Reply-To: papowell@dickory.sdsu.edu
To: krb5-bugs@MIT.EDU
>Number: 357
>Category: pending
>Synopsis:
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Jan 27 14:37:01 EST 1997
>Last-Modified:
>Originator: Patrick Powell
>Organization:
Prof. Patrick Powell
Dept. Electrical and Computer Engineering,
San Diego State University,
San Diego, CA 92182-1309
Office (619) 594-7796; Lab (619) 594-7578 FAX (619) 594-7577
email: papowell@sdsu.edu
>Release: 1.0
>Environment:
<machine, os, target, libraries (multiple lines)>
System: SunOS dickory 4.1.4 2 sun4m
Architecture: sun4
>Description:
<precise description of the problem (multiple lines)>
src/lib/krb5/krb/sendauth.b
krb5_sendauth(context, auth_context,
/* IN */
fd, appl_version, client, server, ap_req_options, in_data,
in_creds,
/* IN/OUT */
ccache,
/* OUT */
error, rep_result, out_creds)
krb5_context context;
krb5_auth_context * auth_context;
krb5_pointer fd;
char * appl_version;
krb5_principal client;
krb5_principal server;
krb5_flags ap_req_options;
krb5_data * in_data;
krb5_creds * in_creds;
krb5_ccache ccache;
krb5_error ** error;
krb5_ap_rep_enc_part ** rep_result;
krb5_creds ** out_creds;
out_creds is used to return the credentials to the caller.
At the end of the routine, we have the following:
retval = 0; /* Normal return */
if (out_creds) {
*out_creds = credsp; <--- returned to user value
}
error_return:
krb5_free_cred_contents(context, &creds);
if (credspout) <<<<<<<<<<<<<<<<<<<<
krb5_free_creds(context, credspout); <<<<<<<< whoops! we free this.
if (!ccache && use_ccache)
krb5_cc_close(context, use_ccache);
return(retval);
}
We should not free the credentials if they are returned.
>How-To-Repeat:
<code/input/activities to reproduce the problem (multiple lines)>
>Fix:
<how to correct or work around the problem, if known (multiple lines)>
*** sendauth.c Mon Jan 27 11:28:12 1997
--- sendauth.c.orig Mon Jan 27 11:28:09 1997
***************
*** 218,224 ****
error_return:
krb5_free_cred_contents(context, &creds);
! if ( !out_creds && credspout)
krb5_free_creds(context, credspout);
if (!ccache && use_ccache)
krb5_cc_close(context, use_ccache);
--- 218,224 ----
error_return:
krb5_free_cred_contents(context, &creds);
! if (credspout)
krb5_free_creds(context, credspout);
if (!ccache && use_ccache)
krb5_cc_close(context, use_ccache);
>Audit-Trail:
>Unformatted:
no
krb5_sendauth frees credentials even when returned to user
critical
high
krb5-libs
sw-bug