[2755] in Kerberos-V5-bugs
krb5-kdc/444: kdc dumps core with require-preauth
daemon@ATHENA.MIT.EDU (Wolfgang Rupprecht)
Mon Jul 14 21:15:50 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, wolfgang@wsrcc.com
Date: Mon, 14 Jul 1997 18:13:13 -0700 (PDT)
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
Reply-To: wolfgang@wsrcc.com
To: krb5-bugs@MIT.EDU
>Number: 444
>Category: krb5-kdc
>Synopsis: kdc (and secondaries) dump core with preauth
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Jul 14 21:14:00 EDT 1997
>Last-Modified:
>Originator: Wolfgang Rupprecht
>Organization:
W S Rupprecht Computer Consulting, Fremont CA
>Release: 1.0pl1
>Environment:
System: NetBSD capsicum.wsrcc.com 1.2G NetBSD 1.2G (WSRCC) #1: Sun Jul 13 07:31:42 PDT 1997 root@capsicum.wsrcc.com:/v/netbsd-current/sys/arch/i386/compile/WSRCC i386
Also seen under SunOS 4.1.4 on a sparc ss5 w. gcc -02.
>Description:
the kdc (and secondaries) dump core when a principal that has the
require-preauth attr. set tries to kinit.
>How-To-Repeat:
kadmin.local
modprinc +requires_preauth test
^D
(wait for it to propagate)
kinit test
<blam> (all kdc's in realm take a snooze.)
>Fix:
Program received signal SIGSEGV (11), Segmentation fault
0x4010e41f in memset ()
(gdb) bt
Reading in symbols for ../../kdc/kdc_preauth.c...
debug info mismatch between compiler and debugger...done.
Reading in symbols for ../../kdc/do_as_req.c...done.
Reading in symbols for ../../kdc/dispatch.c...done.
Reading in symbols for ../../kdc/network.c...done.
#0 0x4010e41f in memset ()
#1 0x400a489c in krb5_free_etype_info ()
#2 0x5f92 in get_preauth_hint_list (request=0x16180, client=0xf7bfc718,
server=0xf7bfc6d8, e_data=0xf7bfc5e4) at ../../kdc/kdc_preauth.c:207
#3 0x21c0 in process_as_req (request=0x16180, from=0x0, portnum=88,
response=0xf7bfc7a4) at ../../kdc/do_as_req.c:293
#4 0x1985 in dispatch (pkt=0xf7bfd7b4, from=0xf7bfc7a8, portnum=88,
response=0xf7bfc7a4) at ../../kdc/dispatch.c:62
#5 0xa751 in process_packet (port_fd=16, prog=0xf7bfd959 "krb5kdc",
portnum=88) at ../../kdc/network.c:177
#6 0xa941 in listen_and_process (prog=0xf7bfd959 "krb5kdc")
at ../../kdc/network.c:221
#7 0xa2d4 in main (argc=2, argv=0xf7bfd880) at ../../kdc/main.c:912
It appears that the memset sees an uninitialized length and proceeds
to clear half of memory. Here is one possible fix.
cd /u/src/krb5-1.0pl1/src/kdc/
diff -c /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c.\~1\~ /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c
*** /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c.~1~ Wed Apr 2 23:42:18 1997
--- /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c Mon Jul 14 17:59:20 1997
***************
*** 622,627 ****
--- 622,630 ----
char inputblock[8];
krb5_data predict_response;
+ /* XXX: mostly for the memset() at cleanup at the end. -wsr */
+ memset (&encrypting_key, 0, sizeof(encrypting_key));
+
/* Given the client name we can figure out what type of preauth
they need. The spec is currently for querying the database for
names that match the types of preauth used. Later we should
Diff finished at Mon Jul 14 18:01:35
>Audit-Trail:
>Unformatted:
