From 48493735e2d2091740fe784cf07a4258dfc0b512 Mon Sep 17 00:00:00 2001 From: Shaleen Bathla Date: Wed, 10 Apr 2024 18:31:39 +0530 Subject: [PATCH] s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs Add missing free for entry variable and its members : key and principal Found definite memory leaks via valgrind as shown below. Leak 1 : ==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 432 of 433 ==1686== at 0x4C38185: malloc (vg_replace_malloc.c:431) ==1686== by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101) ==1686== by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500) ==1686== by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384) ==1686== by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434) ==1686== by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68) ==1686== by 0x127F45: process_request_send (winbindd.c:502) ==1686== by 0x127F45: winbind_client_request_read (winbindd.c:749) ==1686== by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126) ==1686== by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142) ==1686== by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737) ==1686== by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938) ==1686== by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110) ==1686== by 0x66D39B4: _tevent_loop_once (tevent.c:823) ==1686== by 0x1232F3: main (winbindd.c:1718) Leak 2 : ==1686== at 0x4C38185: malloc (vg_replace_malloc.c:431) ==1686== by 0x62255E4: krb5_copy_principal (copy_princ.c:38) ==1686== by 0x621D003: krb5_mkt_get_next (kt_memory.c:503) ==1686== by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384) ==1686== by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434) ==1686== by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68) ==1686== by 0x127F45: process_request_send (winbindd.c:502) ==1686== by 0x127F45: winbind_client_request_read (winbindd.c:749) ==1686== by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126) ==1686== by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142) ==1686== by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737) ==1686== by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938) ==1686== by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110) ==1686== by 0x66D39B4: _tevent_loop_once (tevent.c:823) ==1686== by 0x1232F3: main (winbindd.c:1718) Signed-off-by: Shaleen Bathla Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224 Orabug: 36566309 Signed-off-by: Shaleen Bathla Reviewed-by: Laurence Rochfort --- source3/winbindd/winbindd_pam.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 6c890c8acd5..e7d64189b7e 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -3433,12 +3433,17 @@ static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob, NULL, /* client_principal */ 0, /* tgs_authtime */ p_pac_data); + (void)smb_krb5_kt_free_entry(krbctx, &entry); if (NT_STATUS_IS_OK(status)) { break; } - k5ret = smb_krb5_kt_free_entry(krbctx, &entry); k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor); } + if (k5ret != 0 && k5ret != KRB5_KT_END) { + DEBUG(1, ("Failed to get next entry: %s\n", + error_message(k5ret))); + (void)smb_krb5_kt_free_entry(krbctx, &entry); + } k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor); if (k5ret) {