#1139320 heimdal-kcm: Memory leak in handle_read

Package:
heimdal-kcm
Source:
heimdal-kcm
Description:
Heimdal Kerberos - KCM daemon
Submitter:
Steffen Kieß
Date:
2026-06-29 13:39:01 UTC
Severity:
normal
#1139320#5
Date:
2026-06-08 14:59:27 UTC
From:
To:
In lib/ipc/server.c in there is a memory leak for the c->inmsg
allocation in handle_read(). This affects kcm (and probably other
servers using this library, but I haven't tested that.) For every
request sent to KCM a few bytes are leaked.

This has been fixed upstream on the master branch, but not on
heimdal-7-1-branch:
https://github.com/heimdal/heimdal/pull/983
https://github.com/heimdal/heimdal/commit/5dd29ecd2cc794144de059014a5cbc9c92c3d8bb

As this will cause the kcm process to leak memory until it is killed by
the OOM killer, it would be useful to have the fix backported to stable,
and if possible oldstable and oldoldstable.

Steps to reproduce:
- Compile heimdal to get debug symbols for kcm
- Run: valgrind --leak-check=full kcm/.libs/kcm
- Run (in another terminal): for i in $(seq 1 1000); do klist -A; done
The result will show something like:
[...]
==144405== 1,031,168 bytes in 1,007 blocks are definitely lost in loss
record 40 of 40
==144405==    at 0x48406C4: malloc (vg_replace_malloc.c:380)
==144405==    by 0x494CE18: rk_erealloc (in
/usr/lib/x86_64-linux-gnu/libroken.so.19.0.0)
==144405==    by 0x113887: handle_read (server.c:877)
==144405==    by 0x113887: process_loop (server.c:1013)
==144405==    by 0x113887: heim_ipc_main (server.c:1184)
==144405==    by 0x10CAAC: main (main.c:103)
==144405==
==144405== LEAK SUMMARY:
==144405==    definitely lost: 1,031,176 bytes in 1,008 blocks
==144405==    indirectly lost: 0 bytes in 0 blocks
==144405==      possibly lost: 437 bytes in 6 blocks
==144405==    still reachable: 3,949 bytes in 139 blocks
==144405==         suppressed: 0 bytes in 0 blocks
[...]
#1139320#14
Date:
2026-06-29 13:38:10 UTC
From:
To:
From: Micael Vinicius Lira Prado <micael0208@usp.br>

The input buffer (c->inmsg) is allocated in handle_read() using
erealloc(), but it is never released when the client is destroyed.

Free the input buffer before freeing the client structure to avoid
leaking memory on every closed IPC connection.

Signed-off-by: Micael Prado <micael0208@usp.br>
Co-developed-by: João Marinho <joao.bcc@usp.br>
Signed-off-by: João Marinho <joao.bcc@usp.br>
---
 lib/ipc/server.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/ipc/server.c b/lib/ipc/server.c
index 482b9197b..46d494051 100644
--- a/lib/ipc/server.c
+++ b/lib/ipc/server.c
@@ -693,6 +693,7 @@ maybe_close(struct client *c)
     dispatch_release(c->out);
 #endif
     close(c->fd); /* ref count fd close */
+    free(c->inmsg);
     free(c);
     return 1;
 }