[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: uncommon ccache leak in gssapi/acquire_initiator_cred

Good catch.

I think more specifically the leak is due to the call krb5_cc_gen_new()
in the subsequent code inside:

    if (def_princ == NULL) {
    ...
    }

Thanks.



Fred


-----Original Message-----
From: Michael B Allen [mailto:miallen@ioplex.com] 
Sent: Sunday, February 10, 2008 8:50 PM
To: heimdal-discuss@sics.se
Subject: uncommon ccache leak in gssapi/acquire_initiator_cred

Hi,

I found a leak in lib/gssapi/acquire_cred.c:acquire_initiator_cred.

Here's the fix:

        ...
    } else if (handle->principal != NULL && 
        krb5_principal_compare(gssapi_krb5_context, handle->principal,
        def_princ) == FALSE) {
        /* Before failing, lets check the keytab */
        krb5_free_principal(gssapi_krb5_context, def_princ);
        def_princ = NULL;
krb5_cc_close(gssapi_krb5_context, ccache);
ccache = NULL; 
    }
    if (def_princ == NULL) { 
        /* We have no existing credentials cache,
         * so attempt to get a TGT using a keytab.
         */ 
        ...

It seems under uncommon circumstances it can leak a ccache. Adding a
close and then setting it to NULL resolves the leak.

I found this running my PHP extension test suite under valgrind.

Note that I'm still using 0.7.2 but I've looked at 1.0 and it has this
leak too AFAICT.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/