[16915] in Kerberos-V5-bugs
[krbdev.mit.edu #9110] profile write functions crash on profile with
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Sun Jan 14 01:20:18 2024
From: "Greg Hudson via RT" <rt@kerborg-prod-app-1.mit.edu>
In-Reply-To: <fd6731b8-4297-4a34-8813-1c81f80c8285@posteo.net>
Message-ID: <rt-4.4.3-2-892564-1705213210-1573.9110-5-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9110":;
Date: Sun, 14 Jan 2024 01:20:10 -0500
MIME-Version: 1.0
Reply-To: rt@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9110 >
Summarizing the linked bug report from our perspective:
* FreeRDP has a function krb5glue_get_init_creds(), which calls
krb5_get_profile() and manipulates the resulting profile with several calls,
beginning with profile_clear_relation().
* Per the stack trace, profile_clear_relation() calls rw_setup(), which
dereferences a null pointer at line 40 because profile->first_file is null.
* The crash occurs when there is no /etc/krb5.conf.
I can easily reproduce this crash with the following code (run with the
KRB5_CONFIG environment variable set to a nonexistent path):
#include <krb5.h>
#include <profile.h>
int main()
{
krb5_error_code ret;
krb5_context ctx;
profile_t prof;
if (krb5_init_context(&ctx))
return 1;
if (krb5_get_profile(ctx, &prof))
return 1;
profile_clear_relation(prof, NULL);
return 0;
}
A look at the code history suggests that this bug is long-standing, although I
haven't tested against older releases.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
