[2236] in Kerberos_V5_Development
Re: Memory allocation/freeing
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Wed Feb 19 01:02:31 1997
Date: Wed, 19 Feb 1997 01:02:04 -0500
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: "Richard Basch" <basch@lehman.com>
Cc: krbdev@MIT.EDU
In-Reply-To: Richard Basch's message of Tue, 18 Feb 1997 22:53:35 -0500,
<199702190353.WAA28580@badger.lehman.com>
Date: Tue, 18 Feb 1997 22:53:35 -0500
From: "Richard Basch" <basch@lehman.com>
I have identified one more memory allocation in the krb5 lib that needs
to have an associated "free" routine -- krb5_unparse_name allocates a
(char *) in which to place the result, if one is not already allocated.
Even worse -- it tries to realloc even if it was given a buffer, not
knowing whether the buffer even came out of its malloc pool... In this
instance, I see that we will need to adjust the API slightly. There is
also the possibility that a garbage buffer could be passed in and a NULL
dereference occurs.
krb5_unparse_name() doesn't play the realloc()'ing game. Take a closer
look at the source code; it sets *name to be NULL before calling
krb5_unparse_name_ext(), so the realloc code path can never be called.
krb5_unparse_name_ext() does, but the assumption is that it is
reallocing memory out of its own malloc() pool; note that you have to
pass in an int * as well so it can keep track of how big the buffer is.
The API is such that the first time you call it, you pass in a pointer
to a char pointer that is NULL, and a pointer to an integer variable
which is set to 0. krb5_unparse_name_ext(), then gets called
repeatedly, with the buffer and size buffer being reallocating and
adjusted as necessary.
The whole reason for krb5_unparse_name_ext(), by the way, was so that
you could efficiently dump a database without needing to do lots of
malloc's and free's. Very few programs actually use
krb5_unparse_name_ext(), besides program like "kdb5_util dump".
- Ted
