Bug 140955

Summary: krb5 double free error when running mod_auth_kerb
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CANTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: mattdm
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-31 20:32:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2004-11-26 22:48:32 UTC
When running mod_auth_kerb with an empty keytab file, the httpd child
dies from a libc double free warning.

What's hapening comes from this snipped of code.

if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
    kerror = errno;

The problem with this is that xfread is really calling fread, which
returns a 0 on EOF and error.  When the keytab file is empty, the
stream is closed, then kerror is returned (which is 0).  The caller
then thinks everything is OK, and tries to close the stream after it's
done doing its job.  This causes the double free.

I have no doubt that this is not the only place this happens, but it's
the only one that's been caught.

This problem hasn't shown up in the past becuase a double free
wouldn't cause libc to die.

This problem shoudl be fixed by turning the if statement into
something like this.

if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id)) &&
    ferror(KTFILEP(id)) {

This change did resolve the double free condition I was seeing.

Comment 1 Matthew Miller 2006-07-10 20:36:46 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!


Comment 2 John Thacker 2006-10-31 20:32:30 UTC
Closing per lack of response to previous request for information.
This bug was originally filed against a much earlier version of Fedora
Core, and significant changes have taken place since the last version
for which this bug is confirmed.

Note that FC3 and FC4 are supported by Fedora Legacy for security
fixes only.  Please install a still supported version and retest.  If
it still occurs on FC5 or FC6, please reopen and assign to the correct
version.  Otherwise, if this a security issue, please change the
product to Fedora Legacy.  Thanks, and we are sorry that we did not
get to this bug earlier.