[3303] in Kerberos-V5-bugs
krb5-libs/1048: ["Kunze, Babak" ] Bug in MIT Kerberos V5 1.2.3
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri Feb 1 06:23:04 2002
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, Sam Hartman <hartmans@MIT.EDU>
Message-Id: <tsladutv43f.fsf@tir-na-nogth.mit.edu>
Date: 01 Feb 2002 06:22:44 -0500
From: Sam Hartman <hartmans@MIT.EDU>
To: krb5-bugs@mit.edu
>Number: 1048
>Category: krb5-libs
>Synopsis: memory leak in initial credentials path
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 1 06:23:00 EST 2002
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
------- Start of forwarded message -------
Message-ID: <D95D9818A782D41189F600105AEFF790333994@exchange.intern.cm-ag>
From: "Kunze, Babak" <bk@cm-ag.de>
To: "'krbcore@mit.edu'" <krbcore@mit.edu>
Subject: Bug in MIT Kerberos V5 1.2.3
Date: Fri, 1 Feb 2002 12:09:08 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Hi Folks,
I could not find out, to which address I am supposed to report Bugs to. I
hope you can forward this to the right guys.
There is a bug in "krb5_get_init_creds" or probably in
"krb5_get_init_creds_password" (depends on point of view) which causes
memory leaks when a user supplied a bad password. In any case however the
code in "get_in_tkt.c" does *as_reply = local_as_reply when (as_reply !=
NULL). Then "krb5_get_init_creds_password" retries with use_master = 1. But
it supplies the "&as_reply" again in which case "*as_reply" is set to the
new "local_as_reply". The old value has not been freed and is now lost in
nirvana.
Hope I could help.
Babak Kunze
This could be fixed as follows in "gic_pwd.c":
<--------- snip ---------->
/* first try: get the requested tkt from any kdc */
ret = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
use_master, &as_reply);
/* check for success */
if (ret == 0)
goto cleanup;
/* If all the kdc's are unavailable, or if the error was due to a
user interrupt, fail */
if ((ret == KRB5_KDC_UNREACH) ||
(ret == KRB5_LIBOS_PWDINTR) ||
(ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
/* if the reply did not come from the master kdc, try again with
the master kdc */
if (!use_master) {
use_master = 1;
/*******************************************/
/***** release the old value here *******/
/*******************************************/
if (as_reply) {
krb5_free_kdc_rep(context, as_reply);
as_reply = NULL;
}
ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
use_master, &as_reply);
<--------- snip ---------->
------- End of forwarded message -------
