[3023] in Kerberos-V5-bugs
krb5-appl/678: appl/bsd/kcmd deadlock or data mixing
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat Dec 26 21:51:18 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, hartmans@fundsxpress.com
Date: Sat, 26 Dec 1998 20:50:05 -0600
From: Sam Hartman <hartmans@fundsxpress.com>
Reply-To: hartmans@fundsxpress.com
To: krb5-bugs@MIT.EDU
>Number: 678
>Category: krb5-appl
>Synopsis: appl/bsd/kcmd can get into a deadlock or mix stderr and stdout
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sat Dec 26 21:51:01 EST 1998
>Last-Modified:
>Originator: Sam Hartman
>Organization:
FundsXpress, INC.
>Release: current
>Environment:
System: Linux umgah 2.0.35 #5 Sat Aug 15 12:29:01 CDT 1998 i686 unknown
Architecture: i686
>Description:
The kcmd code for decryption supports buffered IO. However, it only
has one buffer and rsh uses it to read two data streams.
To make matters worse, the rsh and kshd code use select. This means
that if data comes in on both stdout and stderr, and the application
read a partial buffer on stdout last time, rsh may mix data intended
for stdout into stderr. Also, if the last thing in a stream is a
partial buffer, then rather than returning EOF on the last read, the
partial buffer may be returned; I'm not sure if an OS is allowed to
not return a file descriptor in select for read after read has read
zero bytes, but if this is the case, then several deadlocks would be
explained.
>How-To-Repeat:
Run a large tar job that spews lots of data to stdout and prints a completion notice to stderr.
>Fix:
I will apply something along the lines of the following patch,
modifying only to include the PR number in the changelog comment.
This is not a correct or even complete solution; it simply removes the
symptoms under normal circumstances. It's still possible for the
buffer to be used and thus bad data returned in cases where by the
time one encrypted data is read, part of another is already in the
buffer, and the result of this encrypted data plus the next overflows
the entire buffer. In practice this does not happen often.
Index: ChangeLog
===================================================================
RCS file: /mesa/cvsroot/krb5/src/appl/bsd/ChangeLog,v
retrieving revision 1.7
diff -u -r1.7 ChangeLog
--- ChangeLog 1998/12/26 16:22:34 1.7
+++ ChangeLog 1998/12/26 16:26:13
@@ -1,3 +1,9 @@
+1998-11-28 Sam Hartman <hartmans@mesas.com>
+
+ * krshd.c krsh.c: Use RCMD_BUFSIZ not
+
+ * kcmd.c: Move RCMD_BUFSIZ into defines.h
+
1998-11-16 Geoffrey King <gjking@mit.edu>
* login.c (login_get_kconf): Also test whether *kconf_val is null
@@ -9,6 +15,7 @@
* Makefile.in: Set the myfulldir and mydir variables (which are
relative to buildtop and thisconfigdir, respectively.)
+
1998-10-24 Marc Horowitz <marc@mit.edu>
Index: defines.h
===================================================================
RCS file: /mesa/cvsroot/krb5/src/appl/bsd/defines.h,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 defines.h
--- defines.h 1997/12/07 00:39:40 1.1.1.1
+++ defines.h 1998/12/26 16:26:13
@@ -1,2 +1,3 @@
#define OPTS_FORWARD_CREDS 0x00000002
#define OPTS_FORWARDABLE_CREDS 0x00000001
+#define RCMD_BUFSIZ 5120
Index: kcmd.c
===================================================================
RCS file: /mesa/cvsroot/krb5/src/appl/bsd/kcmd.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 kcmd.c
--- kcmd.c 1998/11/06 23:50:17 1.1.1.3
+++ kcmd.c 1998/12/26 16:26:13
@@ -98,7 +98,7 @@
extern Key_schedule v4_schedule;
#endif
-#define RCMD_BUFSIZ 5120
+
#define START_PORT 5120 /* arbitrary */
char *default_service = "host";
Index: krsh.c
===================================================================
RCS file: /mesa/cvsroot/krb5/src/appl/bsd/krsh.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 krsh.c
--- krsh.c 1998/07/26 22:18:31 1.1.1.2
+++ krsh.c 1998/12/26 16:26:13
@@ -93,7 +93,7 @@
#define UCB_RSH "/usr/ucb/rsh"
#endif
-#define RSH_BUFSIZ 4096
+
krb5_context bsd_context;
krb5_creds *cred;
@@ -129,7 +129,7 @@
char **argv0;
{
int rem, pid;
- char *host=0, *cp, **ap, buf[RSH_BUFSIZ], *args, **argv = argv0, *user = 0;
+ char *host=0, *cp, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0;
register int cc;
struct passwd *pwd;
fd_set readfrom, ready;
Index: krshd.c
===================================================================
RCS file: /mesa/cvsroot/krb5/src/appl/bsd/krshd.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 krshd.c
--- krshd.c 1998/11/06 23:50:18 1.1.1.3
+++ krshd.c 1998/12/26 16:26:13
@@ -73,7 +73,9 @@
#define SERVE_NON_KRB
#define LOG_REMOTE_REALM
#define LOG_CMD
-
+#include "defines.h"
+
+
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
@@ -163,7 +165,7 @@
#define ARGSTR "ek54ciD:S:M:AP:?L:"
-#define RSHD_BUFSIZ 5120
+
#define MAXRETRIES 4
@@ -577,7 +579,7 @@
short port;
int pv[2], pw[2], px[2], cc;
fd_set ready, readfrom;
- char buf[RSHD_BUFSIZ], sig;
+ char buf[RCMD_BUFSIZ], sig;
struct sockaddr_in fromaddr;
struct sockaddr_in localaddr;
int non_privileged = 0;
@@ -1457,7 +1459,7 @@
char *fmt;
char *a1, *a2, *a3;
{
- char buf[RSHD_BUFSIZ];
+ char buf[RCMD_BUFSIZ];
buf[0] = 1;
(void) sprintf(buf+1, "%s: ", progname);
>Audit-Trail:
>Unformatted:
