[PATCH] NTLM_AUTH leaks memory when used with old version of curl

Shibu p shibunair80 at ymail.com
Fri Nov 13 08:09:23 MST 2009

NTLM_AUTH helper process leaked memory when shooted request from an old version of curl (version - 7.15.0).

curl --proxy-ntlm -U "AD1\tester:mypassword" -x myproxy:3128 'http://quickdraw.run'
>& /dev/null

A requesst from  old version of curl (version - 7.15.0) contained flags, 
(gdb) x &(ntlmssp_state->neg_flags)
0x81820a0:      0x00000201

Whereas a request from new version of curl had flags - (version - 7.19.4)

(gdb) x &(ntlmssp_state->neg_flags)

0x81820a0:      0x00088206

Function 'winbind_pw_check' allocated 'user_session_key' for each such requests (from old curl versions).
In function ntlmssp_server_auth, since the negotiate flags did not match either of 'NTLMSSP_NEGOTIATE_LM_KEY' or 'NTLMSSP_NEGOTIATE_NTLM2', the allocated 'user_session_key' was assigned to 'session_key' . Since the flags did not match, 'NTLMSSP_NEGOTIATE_KEY_EXCH', session_key was assigned to 'ntlmssp_state->session_key' .
In manage_squid_ntlmssp_request, this session_key was supposed to get cached, and it was to be released in the very next request. Instead of just holding the alloc'ed pointer, it was assigned with a new allocation. Thus the original 'ntlmssp_state->session_key' will keep on leaking for each transaction of such kind.

Shibu Piriyath.

      The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-ntlm_auth.c
Type: application/octet-stream
Size: 423 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091113/d5e027ae/attachment.obj>

More information about the samba-technical mailing list