[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

uncommon ccache leak in gssapi/acquire_initiator_cred


I found a leak in lib/gssapi/acquire_cred.c:acquire_initiator_cred.

Here's the fix:

    } else if (handle->principal != NULL && 
        krb5_principal_compare(gssapi_krb5_context, handle->principal,
        def_princ) == FALSE) {
        /* Before failing, lets check the keytab */
        krb5_free_principal(gssapi_krb5_context, def_princ);
        def_princ = NULL;
krb5_cc_close(gssapi_krb5_context, ccache);
ccache = NULL; 
    if (def_princ == NULL) { 
        /* We have no existing credentials cache,
         * so attempt to get a TGT using a keytab.

It seems under uncommon circumstances it can leak a ccache. Adding a
close and then setting it to NULL resolves the leak.

I found this running my PHP extension test suite under valgrind.

Note that I'm still using 0.7.2 but I've looked at 1.0 and it has this
leak too AFAICT.


Michael B Allen
PHP Active Directory SPNEGO SSO