From: Greg Hudson Date: Tue, 27 Feb 2018 16:56:58 +0000 (-0500) Subject: Fix KDC encrypting key memory leak on some errors X-Git-Tag: krb5-1.17-beta1~176 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1bcf2742d504a22b7354251bbc1e19c3dacd95f3;p=thirdparty%2Fkrb5.git Fix KDC encrypting key memory leak on some errors Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the allocation and destruction of encrypting_key, causing it to leak when any of the intervening calls jump to the cleanup label. Currently the leak manifests on transited or authdata failures. Move encrypting_key destruction to the cleanup label so that it can't leak. Reported by anedvedicky@gmail.com. ticket: 8645 (new) tags: pullup target_version: 1.16-next target_version: 1.15-next --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index cc5a692362..fca01db9d1 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -144,6 +144,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, memset(&reply_encpart, 0, sizeof(reply_encpart)); memset(&ticket_reply, 0, sizeof(ticket_reply)); memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply)); + memset(&encrypting_key, 0, sizeof(encrypting_key)); session_key.contents = NULL; retval = decode_krb5_tgs_req(pkt, &request); @@ -719,8 +720,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply); - if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) - krb5_free_keyblock_contents(kdc_context, &encrypting_key); if (errcode) goto cleanup; ticket_reply.enc_part.kvno = ticket_kvno; @@ -810,6 +809,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, cleanup: if (status == NULL) status = "UNKNOWN_REASON"; + if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) + krb5_free_keyblock_contents(kdc_context, &encrypting_key); if (reply_key) krb5_free_keyblock(kdc_context, reply_key); if (errcode)