Bug 15813 - Temporary preauthentication data is not deallocated
Summary: Temporary preauthentication data is not deallocated
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.19.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-21 11:21 UTC by Ivan Korytov
Modified: 2025-02-21 11:33 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ivan Korytov 2025-02-21 11:21:21 UTC 
In function samba_wdc_finalize_reply data from md.padata_value is converted and copied into r->ek.encrypted_pa_data by kdc_request_add_encrypted_padata, so it is no longer needed even if no error occurred. md is a local variable that is not passed anywhere, so no one can free it later.

Example of Valgrind report on this leak (on older version of Samba):

> ==23579== 1,496 (544 direct, 952 indirect) bytes in 34 blocks are definitely lost in loss record 252 of 317
> ==23579==    at 0x48399A2: calloc (vg_replace_malloc.c:762)
> ==23579==    by 0x8D2A36E: kdc_request_add_encrypted_padata (kdc-plugin.c:438)
> ==23579==    by 0x8CCEE4B: samba_wdc_finalize_reply (wdc-samba4.c:980)
> ==23579==    by 0x6601BC5: eval_results (plugin.c:702)
> ==23579==    by 0x65F50EA: heim_array_iterate_f (array.c:260)
> ==23579==    by 0x6601F92: heim_plugin_run_f (plugin.c:776)
> ==23579==    by 0x5D54A7E: _krb5_plugin_run_f (plugin.c:156)
> ==23579==    by 0x8D2A17E: _kdc_finalize_reply (kdc-plugin.c:258)
> ==23579==    by 0x8D21495: tgs_make_reply (krb5tgs.c:788)
> ==23579==    by 0x8D21495: tgs_build_reply.isra.7 (krb5tgs.c:2037)
Comment 1 Ivan Korytov 2025-02-21 11:33:59 UTC 
Sorry, wrong Valgrind report, here is a correct one:

> ==23583== 1,140 bytes in 285 blocks are definitely lost in loss record 244 of 317
> ==23583==    at 0x4837753: malloc (vg_replace_malloc.c:309)
> ==23583==    by 0x8CCEE21: samba_kdc_build_supported_etypes (wdc-samba4.c:944)
> ==23583==    by 0x8CCEE21: samba_wdc_finalize_reply (wdc-samba4.c:973)
> ==23583==    by 0x6601BC5: eval_results (plugin.c:702)
> ==23583==    by 0x65F50EA: heim_array_iterate_f (array.c:260)
> ==23583==    by 0x6601F92: heim_plugin_run_f (plugin.c:776)
> ==23583==    by 0x5D54A7E: _krb5_plugin_run_f (plugin.c:156)
> ==23583==    by 0x8D2A17E: _kdc_finalize_reply (kdc-plugin.c:258)
> ==23583==    by 0x8D21495: tgs_make_reply (krb5tgs.c:788)
> ==23583==    by 0x8D21495: tgs_build_reply.isra.7 (krb5tgs.c:2037)