Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 140955 - krb5 double free error when running mod_auth_kerb
krb5 double free error when running mod_auth_kerb
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2004-11-26 17:48 EST by Josh Bressers
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-31 15:32:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2004-11-26 17:48:32 EST
When running mod_auth_kerb with an empty keytab file, the httpd child
dies from a libc double free warning.

What's hapening comes from this snipped of code.

if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
    kerror = errno;

The problem with this is that xfread is really calling fread, which
returns a 0 on EOF and error.  When the keytab file is empty, the
stream is closed, then kerror is returned (which is 0).  The caller
then thinks everything is OK, and tries to close the stream after it's
done doing its job.  This causes the double free.

I have no doubt that this is not the only place this happens, but it's
the only one that's been caught.

This problem hasn't shown up in the past becuase a double free
wouldn't cause libc to die.

This problem shoudl be fixed by turning the if statement into
something like this.

if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id)) &&
    ferror(KTFILEP(id)) {

This change did resolve the double free condition I was seeing.
Comment 1 Matthew Miller 2006-07-10 16:36:46 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 2 John Thacker 2006-10-31 15:32:30 EST
Closing per lack of response to previous request for information.
This bug was originally filed against a much earlier version of Fedora
Core, and significant changes have taken place since the last version
for which this bug is confirmed.

Note that FC3 and FC4 are supported by Fedora Legacy for security
fixes only.  Please install a still supported version and retest.  If
it still occurs on FC5 or FC6, please reopen and assign to the correct
version.  Otherwise, if this a security issue, please change the
product to Fedora Legacy.  Thanks, and we are sorry that we did not
get to this bug earlier.

Note You need to log in before you can comment on or make changes to this bug.