[352] in Kerberos-V5-bugs
memory leaks in krb5_free_principal
daemon@ATHENA.MIT.EDU (Jim Miller)
Mon Sep 20 17:57:21 1993
From: jim@bilbo.suite.com (Jim Miller)
Date: Mon, 20 Sep 93 16:45:23 -0500
To: krb5-bugs@MIT.EDU
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
Although I found in Kerberos 5 pre-beta3, I think the same errors exist in
Krb5 beta2.
Here's the code in krb5_free_principal (lib/free/f_principal.c):
void
krb5_free_principal(val)
krb5_principal val;
{
register int i = krb5_princ_size(val);
while(--i >= 0)
free(krb5_princ_component(val, i)->data);
xfree(val);
return;
}
The macro "krb5_princ_component" expands to...
#define krb5_princ_component(princ,i) ((princ)->data + i)
Which means the above code becomes:
void
krb5_free_principal(val)
krb5_principal val;
{
register int i = krb5_princ_size(val);
while(--i >= 0)
free(((val)->data + i)->data);
xfree(val);
return;
}
"val->data" is an array of krb_data structures. There are "val->length"
krb_data structures in the "val->data" array. Each krb_data structure has a
pointer to its own varying length string. The "while" loop frees the memory
that each krb_data structure uses to hold its varying length string. However,
the "val->data" array itself never gets freed!
The other problem with this function is that "val->realm" is not being freed!
Suggested fix:
void
krb5_free_principal(val)
krb5_principal val;
{
if (val->realm.data)
xfree(val->realm.data);
if (val->data) {
register int i = val->length;
while(--i >= 0)
xfree((val->data + i)->data);
xfree(val->data);
}
xfree(val);
return;
}
I removed the use of the macros so it becomes easier to see what is really
going on. Also, by not using the macros I assume it now becomes possible to
use the "xfree" macro instead of using "free" directly. Not that this is
really important, but I like to be consistent.
Jim_Miller@suite.com
