Bug 140955
| Summary: | krb5 double free error when running mod_auth_kerb | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Josh Bressers <bressers> |
| Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED CANTFIX | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3 | CC: | mattdm |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-10-31 20:32:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you! Closing per lack of response to previous request for information. This bug was originally filed against a much earlier version of Fedora Core, and significant changes have taken place since the last version for which this bug is confirmed. Note that FC3 and FC4 are supported by Fedora Legacy for security fixes only. Please install a still supported version and retest. If it still occurs on FC5 or FC6, please reopen and assign to the correct version. Otherwise, if this a security issue, please change the product to Fedora Legacy. Thanks, and we are sorry that we did not get to this bug earlier. |
When running mod_auth_kerb with an empty keytab file, the httpd child dies from a libc double free warning. What's hapening comes from this snipped of code. if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { kerror = errno; The problem with this is that xfread is really calling fread, which returns a 0 on EOF and error. When the keytab file is empty, the stream is closed, then kerror is returned (which is 0). The caller then thinks everything is OK, and tries to close the stream after it's done doing its job. This causes the double free. I have no doubt that this is not the only place this happens, but it's the only one that's been caught. This problem hasn't shown up in the past becuase a double free wouldn't cause libc to die. This problem shoudl be fixed by turning the if statement into something like this. if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id)) && ferror(KTFILEP(id)) { This change did resolve the double free condition I was seeing.