[2815] in Kerberos-V5-bugs
krb5-kdc/495: KDC crashes on TGS request when compiled with KDC_UPDATES_KDB option
daemon@ATHENA.MIT.EDU (Tony Mione)
Wed Nov 12 07:03:18 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, mione@ns-dev.rutgers.edu
Date: Wed, 12 Nov 1997 06:55:31 -0500 (EST)
From: Tony Mione <mione@ns-dev.rutgers.edu>
Reply-To: mione@ns-dev.rutgers.edu
To: krb5-bugs@MIT.EDU
>Number: 495
>Category: krb5-kdc
>Synopsis: KDC crashes on TGS request when compiled with KDC_UPDATES_KDB option
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 12 07:03:00 EST 1997
>Last-Modified:
>Originator: Tony Mione
>Organization:
Tony Mione, RUCS/NS, Rutgers University, Hill 055, Piscataway,NJ - 732-445-0650
mione@nbcs-ns.rutgers.edu W3: http://www-ns.rutgers.edu/~mione/
PGP Fingerprint : E2 25 2C CD 28 73 3C 5B 0B 91 8A 4E 22 BA FA 9F
Editorial Advisor for Digital Systems Report ***** Important: John 17:3 *****
>Release: 1.0
>Environment:
Sun Ultra 1, Solaris 2.5.1
System: SunOS ns-dev.rutgers.edu 5.5.1 Generic sun4m sparc SUNW,SPARCstation-20
Architecture: sun4
>Description:
The KDC crashes when trying to acquire a service ticket using a
tgt. When the KDC attempts to decrypt the server key with the master key,
it crashes with a Segment violation. The pointer to the master key is null
at that point (kdc_realmlist[0]->db_context->db_master_key.
The db_context record has be wiped out during the AS_REQ
processing. At the end of the AS_REQ, if KDC_UPDATES_KDB is set, the
principal's db record is written back to the database. The database is
closed and reopenned (in the abscense of a db_sync function) to flush the
record to disk. The code does none of the processing from init_realm to set
up, decrypt, and process the database's master key.
>How-To-Repeat:
This seemed to occur only when using a krbtgt for cross-realm
operations. After kiniting in the target realm, I ran a local application
that calls krb5_get_creds_from_kdc. This generates a TGS request to the
target kdc that causes the crash.
>Fix:
Here are the context diff's from do_as_req.c:
*** do_as_req.c Mon Nov 10 08:01:23 1997
--- do_as_req.c.orig Tue Feb 27 17:37:53 1996
***************
*** 41,47 ****
#include "adm.h"
#include "adm_proto.h"
#include "extern.h"
- #include "kdb_dbc.h"
static krb5_error_code prepare_error_as PROTOTYPE((krb5_kdc_req *,
int,
--- 41,46 ----
***************
*** 79,85 ****
register int i;
krb5_timestamp until, rtime;
char *cname = 0, *sname = 0, *fromstring = 0;
- krb5_db_context db_context; /* ANM */
ticket_reply.enc_part.ciphertext.data = 0;
e_data.data = 0;
--- 78,83 ----
***************
*** 460,467 ****
krb5_db_set_name(kdc_active_realm->realm_context,
kdc_active_realm->realm_dbname);
krb5_db_init(kdc_context);
- /* Reset master key ! A. Mione - 10-Nov-1997 */
- krb5_dbm_db_set_mkey (kdc_context, &db_context, &kdc_active_realm->realm_encblock );
}
#endif /* KRBCONF_KDC_MODIFIES_KDB */
krb5_db_free_principal(kdc_context, &client, c_nprincs);
--- 458,463 ----
>Audit-Trail:
>Unformatted:
