Catching more principals in ads_keytab_verify_ticket()

Michael Brown mbrown at fensystems.co.uk
Sat Mar 12 10:09:04 GMT 2005


On Fri, 11 Mar 2005, Jeremy Allison wrote:
> > Just a reminder.
> > This patch works in conjunction with Michael Brown's patch to 
> > kerberos_verify.c.
> > If you don't want to use that patch, then essentially the same thing 
> > needs to be done in kerberos_verify.c for these names  to be matched and 
> > used there.
> 
> Yes, but I can't use his patch as-is due to the memory leak of not freeing
> the keytab entry after reading.
> 
> This is why I *hate* kerberos. No one ever writes working kerberos code. Ever.
> Not even me - I bet even when I've fixed it there's another problem somewhere... :-).

Are you sure it needs to be freed?  I was basing it on the keytab 
iteration code in MIT's klist.c, which does:

    while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) {
	  if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) {
	       com_err(progname, code, "while unparsing principal name");
	       exit(1);
	  }
	  ... several printf statements ...
	  krb5_free_unparsed_name(kcontext, pname);
     }

I added code to always free the unparsed name, even if the loop aborts 
(since we don't just exit() in kerberos_verify.c).  From looking at 
kinit.c, I assumed that krb5_kt_next_entry() returned a pointer to a 
static structure in entry, in which case freeing it would be a bad idea.

Heimdal may be different, of course; I don't know.

Michael



More information about the samba-technical mailing list