[krbdev.mit.edu #3209] Memory leak parsing ticket_lifetime from krb5.conf.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #3209] Memory leak parsing ticket_lifetime from krb5.conf.

Greg Hudson via RT
>From [hidden email]  Wed Oct 19 16:43:48 2005
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
        id QAA24913; Wed, 19 Oct 2005 16:43:48 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
        by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JKhApx011908
        for <[hidden email]>; Wed, 19 Oct 2005 16:43:10 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
        [18.7.21.83])
        by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9JEsFpx012174
        for <[hidden email]>; Wed, 19 Oct 2005 10:54:15 -0400
Received: from mail.avidhosting.com (mail.avidhosting.com [64.4.195.71])
        j9JEsGqs017762
        for <[hidden email]>; Wed, 19 Oct 2005 10:54:16 -0400 (EDT)
Received: (qmail 7130 invoked by uid 399); 19 Oct 2005 14:54:15 -0000
Received: from unknown (HELO endian.dyndns.org) (67.184.105.142)
  by mail.avidhosting.com with SMTP; 19 Oct 2005 14:54:15 -0000
Received: by endian.dyndns.org (Postfix, from userid 1000)
        id 0069117A969; Wed, 19 Oct 2005 09:54:12 -0500 (CDT)
To: [hidden email]
From: Ed Plese <[hidden email]>
X-send-pr-version: 3.99
Message-Id: <[hidden email]>
Date: Wed, 19 Oct 2005 09:54:12 -0500 (CDT)
X-Spam-Score: -0.783
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 19 Oct 2005 16:43:09 -0400
X-BeenThere: [hidden email]
X-Mailman-Version: 2.1
Precedence: list
Reply-To: Ed Plese <[hidden email]>
Sender: [hidden email]
Errors-To: [hidden email]


>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: Memory leak parsing ticket_lifetime from krb5.conf.
>Severity: non-critical
>Priority: low
>Category: krb5-libs
>Class: sw-bug
>Release: 1.4.1
>Environment:
OS: Gentoo Linux
System: Linux morpheus 2.6.13-mm1 #1 SMP PREEMPT Wed Sep 7 06:40:46 CDT 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz GenuineIntel GNU/Linux
Architecture: i686

>Description:
This particular problem was noticed while running Samba 3 configured as a
domain member of an Active Directory.  Over a few hours of working with
an Active Directory with a few thousand users, winbind would be
using over 1 GB of memory and would need to be restarted.

Running valgrind on winbind showed (among other things) the following
results after running "wbinfo -t" 1000 times.

==31865== 4004 bytes in 1001 blocks are definitely lost in loss record 36 of 44
==31865==    at 0x1B9042FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck.so)
==31865==    by 0x1B9FF911: krb5_libdefault_string (get_in_tkt.c:716)
==31865==    by 0x1B9FFBC3: krb5_get_init_creds (get_in_tkt.c:841)
==31865==    by 0x1BA00E0C: krb5_get_init_creds_password (gic_pwd.c:124)
==31865==    by 0x1D13FF: kerberos_kinit_password (kerberos.c:91)
==31865==    by 0x1BAB95DE: __libc_start_main (in /lib/libc-2.3.4.so)
==31865==    by 0x2F090: (within /usr/sbin/winbindd)

The culprit of the leak seems to be krb5_get_init_creds in get_in_tkt.c.

Here is the code starting at line 839:

    if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
        tkt_life = options->tkt_life;
    } else if ((ret = krb5_libdefault_string(context, &client->realm,
                                             "ticket_lifetime", &tempstr))
               == 0) {
        if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) {
            free(tempstr);
            goto cleanup;
        }
    } else {
        /* this used to be hardcoded in kinit.c */
        tkt_life = 24*60*60;
    }

The problem is that on success, krb5_string_to_deltat returns 0 and therefore
tempstr is never freed.

This should be able to be fixed by a simple fix as shown below:

    if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
        tkt_life = options->tkt_life;
    } else if ((ret = krb5_libdefault_string(context, &client->realm,
                                             "ticket_lifetime", &tempstr))
               == 0) {
        if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) {
            free(tempstr);
            goto cleanup;
+       } else {
+           free(tempstr);
        }
    } else {
        /* this used to be hardcoded in kinit.c */
        tkt_life = 24*60*60;
    }

There also appears to be a problem with the retrieving of the renew_lifetime
configuration parameter in the code directly following the code shown above
(starting at line 856) since the code is very similar to the above code.

I am not familiar with the codebase so the above fix may not be correct and/or
may overlook something.  For this reason I haven't even tested this fix and
instead just went with workaround of removing the ticket_lifetime
configuration parameter from krb5.conf.
>How-To-Repeat:
I'm sure there are simpler ways, but in my environment I did the following:
1. Configure Samba 3 to be an Active Directory domain member server.
2. Run "wbinfo -t" 1000 times.  All it really takes is once, but running
   it 1000 makes it more noticeable.
>Fix:
The simple workaround to this problem is to remove the ticket_lifetime
configuration parameter from krb5.conf.  This avoids the code path that
causes the memory leak.

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs