[2855] in Kerberos-V5-bugs
krb5-admin/526: kadmind fast file descriptor leak
daemon@ATHENA.MIT.EDU (hedrick@nbcs.rutgers.edu)
Tue Jan 13 15:21:19 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: bjaspan@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, hedrick@nbcs.rutgers.edu
Date: Tue, 13 Jan 1998 15:20:17 -0500 (EST)
From: hedrick@nbcs.rutgers.edu
Reply-To: hedrick@nbcs.rutgers.edu
To: krb5-bugs@MIT.EDU
>Number: 526
>Category: krb5-admin
>Synopsis: kadmind is leaking file descriptors
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bjaspan
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Jan 13 15:21:00 EST 1998
>Last-Modified:
>Originator: Charles Hedrick
>Organization:
Rutgers University
>Release: 1.0pl1
>Environment:
System: SunOS ns-dev.rutgers.edu 5.5.1 Generic sun4m sparc SUNW,SPARCstation-20
Architecture: sun4
>Description:
Kadmind is leaking file descriptors. After a few hours, lsof shows
lots of fd's open on /usr/tmp/rc_kadmin_0.
I suspect that the replay cache is not working properly. The rcache
code doesn't seem to be designed to have multiple contexts working
with the same replay cache file name. In such a case I believe
invalid things will happen.
>How-To-Repeat:
Change your password 64 times.
>Fix:
The RPC mechanism is calling _svcauth_gssapi, krb5_gss_accept_sec_context,
krb5_rd_req, krb5_get_server_rcache. Krb5_gss_accept_sec_context
creates a new auth context. Since its rcache field is NULL,
krb5_rd_req calls krb5_get_server_rcache to create a new krb5_rcache.
The end result is a new rcache for each authenticator. This appears
to be invalid (though without real documentation for the library
calls, it's hard to be sure what is and isn't valid).
I propose to chance krb5_get_server_rcache to maintain a global
krb5_rcache. The first time it is called, the existing code
would be used to create one. All later times, the same
krb5_rcache would be returned.
>Audit-Trail:
>Unformatted:
