[3113] in Kerberos-V5-bugs
krb5-kdc/754: krb5kdc dropped core, apparently when it got a confused packet
daemon@ATHENA.MIT.EDU (E. Larry Lidz)
Thu Sep 23 11:56:17 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, ellidz@eridu.uchicago.edu
Message-Id: <199909231554.KAA18457@eridu.uchicago.edu>
Date: Thu, 23 Sep 1999 10:54:34 -0500 (CDT)
From: "E. Larry Lidz" <ellidz@eridu.uchicago.edu>
Reply-To: ellidz@eridu.uchicago.edu
To: krb5-bugs@MIT.EDU
>Number: 754
>Category: krb5-kdc
>Synopsis: krb5kdc dropped core, apparently when it got a confused packet
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 23 11:56:01 EDT 1999
>Last-Modified:
>Originator: E. Larry Lidz
>Organization:
>Release: krb5-1.0.6
>Environment:
Solaris 7 5/99, Kerberos 1.0.6. We run without krb4 support in the KDC.
System: SunOS 5.7 Generic_106541-05 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
>Description:
All three KDCs that we have just dropped core simultaneously. It looks
like there was a bad AS Request or something that went to the KDC,
crashed it, realized that it wasn't getting a response, and moved on to
the first slave, and so forth until it had crashed all three of our
KDCs. If the packet could be constructed intentionally (we don't have a
reason to believe that it was), it could lead to a potentially quite
nasty Denial-of-Service attack.
>How-To-Repeat:
I don't know how to repeat it, but here's a little bit of information
that I've gleamed from the core files that were left behind. The crash
occured when trying to log a request (it doesn't look like the request
was actually ever logged, though). The log line was line 430 of
do_as_req.c. fromstring was \023, portnum was 750, status was a few
lines of garbage. cname was out of bounds, sname was a few lines of
garbage. errcode was 501984.
>Fix:
Unknown.
>Audit-Trail:
>Unformatted:
