[3325] in Kerberos-V5-bugs
pending/1073: telnet core dumps with Windows 2000 KDC
daemon@ATHENA.MIT.EDU (Ali M)
Wed Mar 13 06:04:52 2002
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: gnats-admin@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@mit.edu, "Ali M" <ali_m_000@hotmail.com>
Message-Id: <F51MdzUMkVxoNJ0Dla7000156b4@hotmail.com>
From: "Ali M" <ali_m_000@hotmail.com>
To: krb5-bugs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Wed, 13 Mar 2002 11:02:06 +0000
>Number: 1073
>Category: pending
>Synopsis: telnet core dumps with Windows 2000 KDC
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Mar 13 06:03:00 EST 2002
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
Submitter-Id: net
Originator: Super-User
Organization:
Confidential: no
Synopsis: Telnet dies if TGT Authorization-Data field too large
Severity: non-critical
Priority: low
Category: krb5-appl
Class: change-request
Release: krb5-1.2.3
Environment:
System: SunOS secsol5 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
Description:
When using MIT kerberos against a Windows 2000 KDC, obtaining a TGT
for a user that is a member of many Windows groups causes the
Authorization-Data field of the TGT to become very large. Telnet contains
2048 byte buffers for the network output ring and also as a work buffer
in libtelnet/kerberos5.c When the TGT is too large, the buffer in
kerberos5.c overflows and overwrites the variables declared after it,
particularly the krb5_context structure - a core dump soon follows!
How-To-Repeat:
Create a user account at the Win2K KDC and make it a member of many
groups - 10 to 12 is usually sufficient.
Fix:
Personally I increased the size of the static buffer in
libtelnet/kerberos5.c line 99: static unsigned char str_data[2048]
and the network output ring buffer
telnet/network.c line 56: unsigned char netobuf[2*BUFSIZ],
to be big enough to accomodate the largest expected user account on the
company's network.
I would recommend that any future enhancement to telnet would use a
dynamically allocated buffer in kerberos5.c and that there be some
way of flushing the ring buffer so that a large TGT can be processed
in a loop, since the TGT size is not known at the time the ring buffer
is allocated.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
