[354] in Kerberos-V5-bugs
minor memory leak in princ2kprinc.c
daemon@ATHENA.MIT.EDU (Jim Miller)
Mon Sep 20 19:46:50 1993
From: jim@bilbo.suite.com (Jim Miller)
Date: Mon, 20 Sep 93 18:34:47 -0500
To: krb5-bugs@MIT.EDU
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
The following code is from Kerberos 5 pre-beta3 with KRB_CRED pathces applied,
but the bug may also be in ealier versions of Krb5.
The memory leak only occurs if the function exits abnormally.
Here's the code:
for (i = 1, rv = val->name__string; rv->next; i++, rv = rv->next)
;
/* plus one for the realm */ <-*** The comment is wrong. It seems
to me that the realm used to be
placed in the first slot of
the retval->data array. However,
this is no longer the case. The
realm is now placed in its own
separate area. This change is
probably the origin of one of the
krb5_free_principal memory leaks.***
retval->length = i;
retval->data = (krb5_data *)malloc(i * sizeof(krb5_data));
if (retval->data == 0) {
xfree(retval);
*error = ENOMEM;
return 0;
}
retval->type = val->name__type;
if (qbuf_to_data(realm, krb5_princ_realm(retval))) { <-*** putting realm in
separate area...
xfree(retval->data);
xfree(retval);
*error = ENOMEM;
return 0;
}
for (i = 0, rv = val->name__string; rv; rv = rv->next, i++)
if (qbuf_to_data(rv->GeneralString, krb5_princ_component(retval, i))) {
while (--i >= 0)
free(krb5_princ_component(retval, i)->data);
*error = ENOMEM;
return(0); <-*** We didn't free retval->realm. We also
didn't free retval->data or retval.
}
return(retval);
}
Suggested fix:
for (i = 0, rv = val->name__string; rv; rv = rv->next, i++)
if (qbuf_to_data(rv->GeneralString, krb5_princ_component(retval, i))) {
while (--i >= 0)
free(krb5_princ_component(retval, i)->data);
+ if (retval->realm.data) xfree(retval->realm.data);
+ xfree(retval->data);
+ xfree(retval);
*error = ENOMEM;
return(0);
}
Jim_Miller@suite.com
