[3505] in Kerberos-V5-bugs
[krbdev.mit.edu #1206] padata not freed from reply structure
daemon@ATHENA.MIT.EDU (The RT System itself via RT)
Fri Oct 4 09:25:14 2002
Message-Id: <rt-1206-3108.10.3532335506219@krbdev.mit.edu>
In-Reply-To: <rt-1206@krbdev.mit.edu>
From: "The RT System itself via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Fri, 4 Oct 2002 09:24:35 -0400 (EDT)
From kwc@dh171.citi.umich.edu Fri Oct 4 09:24:32 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3) with ESMTP
id JAA13557; Fri, 4 Oct 2002 09:24:32 -0400 (EDT)
Received: from dh171.citi.umich.edu (dh171.citi.umich.edu [141.211.133.171])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA14956
for <krb5-bugs@mit.edu>; Fri, 4 Oct 2002 09:24:32 -0400 (EDT)
Received: (from kwc@localhost)
by dh171.citi.umich.edu (8.11.6/8.11.6) id g94DRuN32591;
Fri, 4 Oct 2002 09:27:56 -0400
Date: Fri, 4 Oct 2002 09:27:56 -0400
Message-Id: <200210041327.g94DRuN32591@dh171.citi.umich.edu>
To: krb5-bugs@mit.edu
Subject: padata memory leak in AS_REQ path
From: kwc@citi.umich.edu
Reply-To: kwc@citi.umich.edu
X-send-pr-version: 3.99
>Submitter-Id: net
>Originator: Kevin Coffman
>Organization:
Kevin Coffman Center for Information Technology Integration
---------------------- University of Michigan
Phone: (734) 763-0592 3106 Argus
mailto:kwc@umich.edu 535 West William Street
---------------------- Ann Arbor, MI, 48103-4943
http://www.citi.umich.edu/u/kwc/
>Confidential: no
>Synopsis: padata not freed from reply structure
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.2.5
>Environment:
All systems and architectures are affected.
>Description:
When preauthentication data is returned as part of the
AS_REQ, the padata is never released from the reply
structure after the return packet is constructed.
Also, normal processing already frees the encrypting_key
contents, so it should be free conditionally in the errout:
section.
>How-To-Repeat:
AS_REQs for users with only an AFS key in the database have
the pw-salt padata returned in the response. Also, we have
code to use the SPECIAL salt type for users whose principal
name (uniqname) has been changed. This also results in
padata being returned in the response.
>Fix:
Apply the following patch (this patch is against the 1.2.6 release):
--- src/kdc/do_as_req.c.orig Fri Oct 4 09:00:10 2002
+++ src/kdc/do_as_req.c Fri Oct 4 09:04:35 2002
@@ -448,8 +448,10 @@
errcode = prepare_error_as(request, errcode, &e_data, response);
}
- krb5_free_keyblock_contents(kdc_context, &encrypting_key);
-
+ if (encrypting_key.contents)
+ krb5_free_keyblock_contents(kdc_context, &encrypting_key);
+ if (reply.padata)
+ krb5_free_pa_data(kdc_context, reply.padata);
if (cname)
free(cname);
if (sname)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
