[16432] in Kerberos-V5-bugs
[krbdev.mit.edu #8856] segfault in
daemon@ATHENA.MIT.EDU (Jeffrey Arbuckle via RT)
Sat Dec 21 22:49:57 2019
From: Jeffrey Arbuckle via RT <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <CAOvMb=5zyOQAn_xrf-c6VAjfv5td98_f9-hESdzfrP1Lhx-A1w@mail.gmail.com>
Message-ID: <rt-4.4.4-12368-1576986589-910.8856-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8856":;
Date: Sat, 21 Dec 2019 22:49:49 -0500
MIME-Version: 1.0
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Sat Dec 21 22:49:49 2019: Request 8856 was acted upon.
Transaction: Ticket created by jeffa.lans@gmail.com
Queue: krb5
Subject: segfault in krb5-1.17.1/src/lib/krb5/krb/authdata.c
Owner: Nobody
Requestors: jeffa.lans@gmail.com
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8856 >
I have run into a segfault bug with krb5-1.17.1 and earlier versions at:
lib/krb5/krb/authdata.c, line 562 :
for (n_elements = 0; elements[n_elements] != NULL; n_elements++);
The segfault occurs because elements is NULL.
This is due to the earlier call to k5_unwrap_cammac_svc() that returns
KRB5KRB_AP_ERR_BAD_INTEGRITY and leaves elements as NULL:
lib/krb5/krb/authdata.c, line 556 :
ret = k5_unwrap_cammac_svc(kcontext, cammacs[i], key, &elements);
if (ret && ret != KRB5KRB_AP_ERR_BAD_INTEGRITY)
The issue is fixable with the following patch, but the bypassing of the
KRB5KRB_AP_ERR_BAD_INTEGRITY result is suspect:
--- krb5-1.17.1/src/lib/krb5/krb/authdata.c 2019-12-11
10:13:10.000000000 -0700
+++ krb5-1.17.1/src/lib/krb5/krb/authdata.c. 2019-12-18
11:27:06.555957314 -0700
@@ -558,6 +558,8 @@
goto cleanup;
ret = 0;
+ if ( elements == NULL ) continue;
+
/* Add the verified elements to list and free the container array.
*/
for (n_elements = 0; elements[n_elements] != NULL; n_elements++);
new_list = realloc(list, (count + n_elements + 1) * sizeof(*list));
--Jeffrey
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
