[413] in Kerberos-V5-bugs
Re: Some bugs, some questions, and a Next.cf
daemon@ATHENA.MIT.EDU (Andrew Gross)
Wed Jan 26 03:21:51 1994
Date: Wed, 26 Jan 94 00:21:38 -0800
From: Andrew Gross <drew@drew.extern.ucsd.edu>
To: drew@drew.extern.ucsd.edu, tytso@MIT.EDU
Cc: krb5-bugs@athena.mit.edu., tep@sdsc.edu
Hello,
> Date: Mon, 24 Jan 94 23:11:45 -0800
> From: Andrew Gross <drew@drew.extern.ucsd.edu>
>
> A principal should never be freed twice; if it is, that's a bug.
Thanks, now I see what your assumption is.
> This causes problems in kadmind (adm_funcs.c:adm5_change) because
> parts of the krb5_db_entry structure called entry are freed in
> functions called by this function, and on some occasions entry.mod_name
> will point to the same structure as newprinc.
>
> That's a problem in kadmind, and should be fixed.
I haven't found where these are set equal in adm_funcs.c and I find it
distasteful to just tell you "well I have a problem with it". It only
happens with kpasswd (kadmin works fine) and I have only tried
changing the password from the local machine. I did link in the
malloc debugging library that comes with the NeXT and verified that
this is what is occurring. If I find anything more I'll be sure to
send it in.
I have two other minor problems. One is that in kadmin/server/adm_funcs.c
the krb5_db_entry declared in adm5_change has its key.contents and
alt_key.contents fields freed in adm_enter_pwd_key and in
adm_modify_kdb . I think this has been reported already but I can't
find it in my mail folder. I just set the pointer to *key.contents to
NULL so that krb5_db_free_principal does not attempt to free these
fields. Here are the patches for this:
diff -r -c server/adm_funcs.c server.x/adm_funcs.c
*** server/adm_funcs.c Thu Jan 13 15:45:34 1994
--- server.x/adm_funcs.c Mon Jan 24 22:15:21 1994
***************
*** 35,40 ****
--- 35,41 ----
#include <com_err.h>
#include <sys/types.h>
+ #include <syslog.h>
#include <sys/socket.h>
#include <netinet/in.h>
***************
*** 273,284 ****
retval = krb5_db_put_principal(entry, &one);
memset((char *) entry->key.contents, 0, entry->key.length);
! if (entry->key.contents)
krb5_xfree(entry->key.contents);
memset((char *) entry->alt_key.contents, 0, entry->alt_key.length);
! if (entry->alt_key.contents)
krb5_xfree(entry->alt_key.contents);
if (retval) {
com_err("adm_modify_kdb", retval,
--- 274,289 ----
retval = krb5_db_put_principal(entry, &one);
memset((char *) entry->key.contents, 0, entry->key.length);
! if (entry->key.contents) {
krb5_xfree(entry->key.contents);
+ entry->key.contents = NULL;
+ }
memset((char *) entry->alt_key.contents, 0, entry->alt_key.length);
! if (entry->alt_key.contents) {
krb5_xfree(entry->alt_key.contents);
+ entry->alt_key.contents = NULL;
+ }
if (retval) {
com_err("adm_modify_kdb", retval,
***************
*** 422,429 ****
memset((char *) tempkey.contents, 0, tempkey.length);
memset((char *) alttempkey.contents, 0, alttempkey.length);
! if (entry->alt_key.contents)
free(entry->alt_key.contents);
return(retval);
}
--- 427,436 ----
memset((char *) tempkey.contents, 0, tempkey.length);
memset((char *) alttempkey.contents, 0, alttempkey.length);
! if (entry->alt_key.contents) {
free(entry->alt_key.contents);
+ entry->alt_key.contents = NULL;
+ }
return(retval);
}
The other minor bug is in kadmin/server/adm_process.c in the
process_client function. The relevant excerpt is (with line numbers
proceeding in <.>'s):
<137> char retbuf[512];
...
<403> if ((final_msg.data = (char *) calloc(1,10)) == (char *) 0) {
...
<406> }
<407> final_msg.data = retbuf;
...
<422> free(final_msg.data);
...
<425> free(final_msg.data);
Should line 407 be a bcopy/memcpy instead? I just get a nasty SEGV.
Thank you for your time and patience,
Andrew Gross
