[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

uncommon ccache leak in gssapi/acquire_initiator_cred

Hi,

I found a leak in lib/gssapi/acquire_cred.c:acquire_initiator_cred.

Here's the fix:

        ...
    } else if (handle->principal != NULL && 
        krb5_principal_compare(gssapi_krb5_context, handle->principal,
        def_princ) == FALSE) {
        /* Before failing, lets check the keytab */
        krb5_free_principal(gssapi_krb5_context, def_princ);
        def_princ = NULL;
krb5_cc_close(gssapi_krb5_context, ccache);
ccache = NULL; 
    }
    if (def_princ == NULL) { 
        /* We have no existing credentials cache,
         * so attempt to get a TGT using a keytab.
         */ 
        ...

It seems under uncommon circumstances it can leak a ccache. Adding a
close and then setting it to NULL resolves the leak.

I found this running my PHP extension test suite under valgrind.

Note that I'm still using 0.7.2 but I've looked at 1.0 and it has this
leak too AFAICT.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/