[11685] in Kerberos-V5-bugs
[krbdev.mit.edu #6777] Segmentation fault in krb library (sn2princ.c)
daemon@ATHENA.MIT.EDU (Krier@krbdev.MIT.EDU, Richard " vi)
Tue Sep 14 15:11:58 2010
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: Krier@krbdev.MIT.EDU, Richard " via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6777@krbdev.mit.edu>
Message-ID: <rt-6777-33140.16.0206669616424@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6777'":;"'AdminCc of krbdev.mit.edu Ticket #6777'":;@MIT.EDU
Date: Tue, 14 Sep 2010 15:10:55 -0400 (EDT)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
To: krb5-bugs@mit.edu
Subject: Segmentation fault in krb library (sn2princ.c) if realm not resolved
From: Richard.Krier@globalfoundries.com
Reply-To: Richard.Krier@globalfoundries.com
Cc:
X-send-pr-version: 3.99
>Submitter-Id:
>Originator: Richard Krier
>Organization: GlobalFoundries
>Confidential: no
>Synopsis: Segmentation fault in sn2princ.c if realm not resolved. Need checks for zero-length string and/or NULL pointer
>Severity: serious
>Priority: medium
>Category: krb5-bug
>Class: krb5-bug
>Release: 1.6.3, 1.8.3
>Environment:
<machine, os, target, libraries (multiple lines)>
System: AIX 5.3, Kerberos libraries built in 64-bit mode
Machine:
>Description:
1. sname_to_princ() (sn2princ.c) calls krb5_get_host_realm() to resolve kerberos realm from host name.
2. If realm unresolved, krb5_get_host_realm() returns a zero-length string, i.e. 1 byte containing just '\0'
3. sname_to_princ() then performs inadequate check for realm resolution:
PROBLEM IS HERE: if (!hrealms[0]) { /* this only checks if ptr is NULL, but not if string is zero-length */
free(remote_host);
krb5_xfree(hrealms);
return KRB5_ERR_HOST_REALM_UNKNOWN;
}
3. sname_to_princ() then calls krb5_build_principal(), principal not created in this case, *ret_princ is NULL
ALSO HERE: No check is made to determine if *ret_princ is NULL before using it to make an assignment as point 4.
4. sname_to_princ() gets segmentation fault trying to use null *ret_princ to assign 'type'
>How-To-Repeat:
N/A
>Fix:
In file sn2princ.c:
1. Modify the realm-check above to check for either a NULL pointer or a zero-length string:
if ( (!hrealms[0]) || (0==strlen(hrealms[0]) ) /* or perhaps ('\0'==hrealms[0]) */
2. Add a check for *ret_princ being NULL after calling krb5_build_principal()
if (NULL==*ret_princ{
free(remote_host);
krb5_xfree(hrealms);
return KRB5_ERR_HOST_REALM_UNKNOWN;
}
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
