[2769] in Kerberos-V5-bugs
krb5-libs/456: NULL pointer dereference in "krb5_rd_cred_basic"
daemon@ATHENA.MIT.EDU (Kevin Buhr)
Wed Aug 6 13:32:10 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, buhr@stat.wisc.edu (Kevin Buhr)
Date: 06 Aug 1997 12:29:30 -0500
From: buhr@stat.wisc.edu (Kevin Buhr)
To: krb5-bugs@MIT.EDU
>Number: 456
>Category: krb5-libs
>Synopsis: NULL pointer dereference in "krb5_rd_cred_basic"
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Aug 06 13:30:01 EDT 1997
>Last-Modified:
>Originator: Kevin Buhr
>Organization:
University of Wisconsin---Madison
>Release: 1.0pl1
>Environment:
<machine, os, target, libraries (multiple lines)>
System: Linux mozart 2.1.47 #18 Tue Aug 5 13:07:37 CDT 1997 i486 unknown
Architecture: i486
>Description:
There is a potential NULL pointer dereference in "krb5_rd_cred_basic"
that is tickled by Beta 4 "rsh" and "rlogin" clients. The relevant
snippet of code starts at line 108 of "src/lib/krb5/krb/rd_cred.c":
if (pkeyblock != NULL) {
if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup_cred;
}
}
No guarantee is made that the "encpart.s_address" is non-NULL before
this call to "krb5_address_compare".
When a Beta 4 "rsh" client is used to connect to a 1.0pl1 "kshd"
server with credentials forwarding, it creates a credentials structure
with NULL "sender_addr" and "recv_addr" fields. As a result, the
1.0pl1 server crashes when it passes the NULL encpart.s_address to
"krb5_address_compare".
The visible symptoms are that the client aborts with:
kcmd: bad connection with remote host
and retries using non-Kerberos "rsh".
>How-To-Repeat:
Connect to a 1.0pl1 server with a Beta 4 "rsh" client using:
rsh -F newish-server echo test
>Fix:
I'm using the following, obvious, patch, but am completely clueless
with regards to the security implications:
diff -u -r1.1 src/lib/krb5/krb/rd_cred.c
--- src/lib/krb5/krb/rd_cred.c 1997/08/06 00:00:25 1.1
+++ src/lib/krb5/krb/rd_cred.c 1997/08/06 00:00:31
@@ -105,7 +105,7 @@
* protected by encryption. If it came in the checksum field of
* an init_sec_context message, skip over this check.
*/
- if (pkeyblock != NULL) {
+ if (remote_addr && encpart.s_address && pkeyblock != NULL) {
if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup_cred;
>Audit-Trail:
>Unformatted:
