From e8909878b3ff95f4a9caf3a8cc80ce9d11a7d3e0 Mon Sep 17 00:00:00 2001 From: sashan Date: Tue, 20 Feb 2018 22:30:53 +0100 Subject: [PATCH] Free cert info in pkinit_identity_initialize() The pkinit_identity_crypto_context creds field contains a collection of cert info deduced from configuration, and is used to select the identity certificate on the client and the KDC. Its lifetime is managed separately from the context, by crypto_load_certs() and crypto_free_cert_info(). Prior to commit 60426439f672fe273ceead17910f818da1954c5b, the lifetime was managed purely within pkinit_identity_initialize(). When that function now split into two phases, pkinit_identity_initialize() began leaving the creds array around unnecessarily. The client calling function made its own call to free the creds array, but this was not done by the KDC calling function. The result was that the creds array was overwritten in pkinit_identity_prompt(), leaking a small amount of memory at KDC startup. This leak is trivial, but adds noise to leak detection tools. Fix the leak by freeing the creds array in pkinit_identity_initialize() before returning, and remove the no-longer-necessary call in pkinit_client_prep_questions(). In the longer term, it might be better to separate the creds array from pkinit_identity_crypto_context and manage it using local variables within pkinit_identity_initialize() and pkinit_identity_prompt(). [ghudson@mit.edu: rewrote commit message] --- src/plugins/preauth/pkinit/pkinit_clnt.c | 2 -- src/plugins/preauth/pkinit/pkinit_identity.c | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index f1bc6b21dc..2604800646 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -1017,8 +1017,6 @@ pkinit_client_prep_questions(krb5_context context, } reqctx->identity_initialized = TRUE; - crypto_free_cert_info(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx); if (retval != 0) { pkiDebug("%s: not asking responder question\n", __FUNCTION__); retval = 0; diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index e8997c9351..fa754e3fa6 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -543,6 +543,9 @@ pkinit_identity_initialize(krb5_context context, idopts, id_cryptoctx, princ, TRUE); if (retval) goto errout; + + crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx); } else { /* We're the anonymous principal. */ retval = 0; -- 2.47.2