diff options
| author | Greg Hudson <ghudson@mit.edu> | 2018-02-27 11:56:58 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2018-05-01 17:30:50 -0400 |
| commit | b294627169fba270dbd78cff5e1408a21051b266 (patch) | |
| tree | 5aaff0dbdca8c4f2684e8f4240bb00c2db43afa0 | |
| parent | 57c70d882371fee7a1fca172d4a64f8f898b5c92 (diff) | |
| download | krb5-b294627169fba270dbd78cff5e1408a21051b266.zip krb5-b294627169fba270dbd78cff5e1408a21051b266.tar.gz krb5-b294627169fba270dbd78cff5e1408a21051b266.tar.bz2 | |
Fix KDC encrypting key memory leak on some errors
Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the
allocation and destruction of encrypting_key, causing it to leak when
any of the intervening calls jump to the cleanup label. Currently the
leak manifests on transited or authdata failures. Move encrypting_key
destruction to the cleanup label so that it can't leak. Reported by
anedvedicky@gmail.com.
(cherry picked from commit 1bcf2742d504a22b7354251bbc1e19c3dacd95f3)
ticket: 8645
version_fixed: 1.15.3
| -rw-r--r-- | src/kdc/do_tgs_req.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 339259f..1000a10 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -144,6 +144,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, memset(&reply_encpart, 0, sizeof(reply_encpart)); memset(&ticket_reply, 0, sizeof(ticket_reply)); memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply)); + memset(&encrypting_key, 0, sizeof(encrypting_key)); session_key.contents = NULL; retval = decode_krb5_tgs_req(pkt, &request); @@ -721,8 +722,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply); - if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) - krb5_free_keyblock_contents(kdc_context, &encrypting_key); if (errcode) { status = "ENCRYPT_TICKET"; goto cleanup; @@ -825,6 +824,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, cleanup: if (status == NULL) status = "UNKNOWN_REASON"; + if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) + krb5_free_keyblock_contents(kdc_context, &encrypting_key); if (reply_key) krb5_free_keyblock(kdc_context, reply_key); if (errcode) |