[Bug 1601] New: Memory leak caused by forwarded GSSAPI credential store

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat May 23 20:40:17 EST 2009


           Summary: Memory leak caused by forwarded GSSAPI credential
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: miguel.sanders at arcelormittal.com
                CC: miguel.sanders at arcelormittal.com

Created an attachment (id=1641)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1641)
Fix for memory leak

While debugging a GSSAPI memory allocation problem not related to
OpenSSH, I found a memory leak in OpenSSH when storing forwarded GSSAPI
credentials resulting in a growing process segment for each connection
that uses GSSAPI credentials forwarding. What happens is the following:
In the privileged parent, we are calling ssh_gssapi_storecreds() which
itself calls ssh_gssapi_krb5_storecreds(). ssh_gssapi_krb5_storecreds()
makes some memory allocations in order to save the credentials store
for the gssapi client.

  +167          client->store.filename =
xstrdup(krb5_cc_get_name(krb_context, ccache));
  +168          client->store.envvar = "KRB5CCNAME";
  +169          len = strlen(client->store.filename) + 6;
  +170          client->store.envval = xmalloc(len);
  +171          snprintf(client->store.envval, len, "FILE:%s",

Those memory allocations are never freed. Moreover, since those memory
allocations are done in the privileged parent (which is a finite-state
machine and never returns) before forking the unprivileged child, the
memory leak gets doubled for each connection that uses GSSAPI
credential forwarding.

A solution would be the following:
1) Migrate the ssh_gssapi_storecreds() call to the unprivileged child
2) Create a ssh_gssapi_free_store() call in gss-serv.c which frees the
memory allocations. At first I was thinking of integrating this in the
ssh_gssapi_cleanup_creds() call but freeing the memory is mandatory
while the cleanup of credentials is the user's choice.
3) Integrate ssh_gssapi_free_store() call in the do_cleanup() call,
which is located in session.c.

I added a patch which solved this issue.

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list