From: Ivan Korytov <korytovip@basealt.ru>
Date: Fri, 21 Feb 2025 07:02:48 +0000 (+0300)
Subject: s4:kdc: Fix memory leak for unused keys in TGT
X-Git-Tag: tevent-0.17.0~59
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a97aad91878f693bd854b9483592811ac883b356;p=thirdparty%2Fsamba.git

s4:kdc: Fix memory leak for unused keys in TGT

Length of key list was reduced to one but unused keys were not deallocated before changing the length.
As such, free_sdb_entry/sdb_keys_free function could not release unused keys indexed from 1 onwards on entry deallocation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15712

Signed-off-by: Ivan Korytov <korytovip@basealt.ru>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 90cfe006043..98b90e3637e 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1844,6 +1844,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 		 */
 #ifdef SAMBA4_USES_HEIMDAL
 		if (is_krbtgt) {
+			unsigned int i = 0;
+
 			/*
 			 * The krbtgt account, having no reason to
 			 * issue tickets encrypted in weaker keys,
@@ -1875,11 +1877,20 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 			 * management.
 			 */
 
+			for (i = 1; i < entry->keys.len; i++) {
+				sdb_key_free(&entry->keys.val[i]);
+			}
 			entry->keys.len = 1;
 			if (entry->etypes != NULL) {
 				entry->etypes->len = MIN(entry->etypes->len, 1);
 			}
+			for (i = 1; i < entry->old_keys.len; i++) {
+				sdb_key_free(&entry->old_keys.val[i]);
+			}
 			entry->old_keys.len = MIN(entry->old_keys.len, 1);
+			for (i = 1; i < entry->older_keys.len; i++) {
+				sdb_key_free(&entry->older_keys.val[i]);
+			}
 			entry->older_keys.len = MIN(entry->older_keys.len, 1);
 		}
 #endif