Fix memory leaks in FAST TGS support
authorGreg Hudson <ghudson@mit.edu>
Fri, 9 Dec 2011 17:57:47 +0000 (17:57 +0000)
committerGreg Hudson <ghudson@mit.edu>
Fri, 9 Dec 2011 17:57:47 +0000 (17:57 +0000)
krb5int_fast_prep_req remove tgs from request->padata and needs to
free it.  get_creds.c needs to use a fresh FAST state for each TGS
request to avoid leaking armor keys.

ticket: 7026

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25535 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/fast.c
src/lib/krb5/krb/get_creds.c

index ec660563aa46b74b9ce5fad516f589f52a67c20f..7de338b122a16edd1b2c1f3179bcca807c97a0df 100644 (file)
@@ -320,6 +320,10 @@ krb5int_fast_prep_req(krb5_context context,
         krb5_free_data(context, encoded_fast_req);
     if (local_encoded_result)
         krb5_free_data(context, local_encoded_result);
+    if (tgs) {
+        free(tgs->contents);
+        free(tgs);
+    }
     state->fast_outer_request.padata = NULL;
     return retval;
 }
index d1439586cb83492a03162c1f1be238c24ce8ac73..b009e6100ba58215f5f2e0a32fcb3af5b7c83ab1 100644 (file)
@@ -152,7 +152,6 @@ struct _krb5_tkt_creds_context {
     krb5_flags req_options;     /* Caller-requested KRB5_GC_* options */
     krb5_flags req_kdcopt;      /* Caller-requested options as KDC options */
     krb5_authdata **authdata;   /* Caller-requested authdata */
-    struct krb5int_fast_request_state *fast_state;
 
     /* The following fields are used in multiple steps. */
     krb5_creds *cur_tgt;        /* TGT to be used for next query */
@@ -168,6 +167,7 @@ struct _krb5_tkt_creds_context {
     int kdcopt;                 /* KDC options of request */
     krb5_keyblock *subkey;      /* subkey of request */
     krb5_data previous_request; /* Encoded request (for TCP retransmission) */
+    struct krb5int_fast_request_state *fast_state;
 
     /* The following fields are used when acquiring foreign TGTs. */
     krb5_data *realm_path;      /* Path from client to server realm */
@@ -268,6 +268,13 @@ make_request(krb5_context context, krb5_tkt_creds_context ctx,
     if (!krb5_c_valid_enctype(ctx->cur_tgt->keyblock.enctype))
         return KRB5_PROG_ETYPE_NOSUPP;
 
+    /* Create a new FAST state structure to store this request's armor key. */
+    krb5int_fast_free_state(context, ctx->fast_state);
+    ctx->fast_state = NULL;
+    code = krb5int_fast_make_state(context, &ctx->fast_state);
+    if (code)
+        return code;
+
     code = krb5int_make_tgs_request(context, ctx->fast_state,
                                     ctx->cur_tgt, ctx->kdcopt,
                                     ctx->cur_tgt->addresses, NULL,
@@ -1047,9 +1054,6 @@ krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache,
     ctx = k5alloc(sizeof(*ctx), &code);
     if (ctx == NULL)
         goto cleanup;
-    code = krb5int_fast_make_state(context, &ctx->fast_state);
-    if (code)
-        goto cleanup;
 
     ctx->req_options = options;
     ctx->req_kdcopt = 0;