[3126] in Kerberos-V5-bugs
krb5-appl/763: login.c calls krb5_cc_destroy() on null pointer
daemon@ATHENA.MIT.EDU (Donn Cave)
Tue Oct 5 17:43:32 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, donn@u.washington.edu
Message-Id: <199910052142.OAA21265@saul8.u.washington.edu>
Date: Tue, 5 Oct 1999 14:42:44 -0700 (PDT)
From: Donn Cave <donn@u.washington.edu>
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
>Number: 763
>Category: krb5-appl
>Synopsis: login.c calls krb5_cc_destroy() on null pointer
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 05 17:43:00 EDT 1999
>Last-Modified:
>Originator: Donn Cave
>Organization:
University Computing Services
University of Washington
>Release: krb5-1.1
>Environment:
System: AIX 4.2
Machine: RS/6000
>Description:
In appl/bsd/login.c, lpass_ok branches out of the password check loop
before some Kerberos credentials logic that sets xtra_creds. Then
subsequent to that loop there's more Kerberos credentials logic that
expects the earlier logic to have executed, leaving a valid xtra_creds.
Since it's actually a null pointer, login aborts as a result and the
connection terminates.
>How-To-Repeat:
Make sure password is the same for Kerberos and the local system.
Log in via telnet, without telnet service ticket so login will use
password to acquire TGT.
>Fix:
I took the liberty of removing a comment that seems to be outdated,
and I moved the lpass_ok test down below the Kerberos stuff.
This should address today's actual problem, but the following diff
also shows the segfault area re-coded in a way that will be more
robust and also easier to extend or debug.
[Line numbers reflect a couple of other patches]
*** appl/bsd/login.c.dist Thu Sep 23 15:40:09 1999
--- appl/bsd/login.c Tue Oct 5 14:07:52 1999
***************
*** 1303,1321 ****
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
}
- /* Policy: If local password is good, user is good.
- We really can't trust the Kerberos password,
- because somebody on the net could spoof the
- Kerberos server (not easy, but possible).
- Some sites might want to use it anyways, in
- which case they should change this line
- to:
- if (kpass_ok)
- */
-
- if (lpass_ok)
- break;
-
if (got_v5_tickets) {
if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
NULL, &xtra_creds,
--- 1304,1309 ----
***************
*** 1338,1343 ****
--- 1326,1334 ----
}
#endif /* KRB4_GET_TICKETS */
+ if (lpass_ok)
+ break;
+
bad_login:
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
***************
*** 1634,1652 ****
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
! if (retval = krb5_cc_default(kcontext, &ccache)) {
com_err(argv[0], retval, "while getting default ccache");
! } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
! com_err(argv[0], retval, "when initializing cache");
! } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
! com_err(argv[0], retval, "while storing credentials");
! } else if (xtra_creds &&
! (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
! ccache))) {
! com_err(argv[0], retval, "while storing credentials");
}
-
- krb5_cc_destroy(kcontext, xtra_creds);
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
--- 1625,1652 ----
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
! retval = krb5_cc_default(kcontext, &ccache);
! if (retval)
com_err(argv[0], retval, "while getting default ccache");
! else {
! retval = krb5_cc_initialize(kcontext, ccache, me);
! if (retval)
! com_err(argv[0], retval, "when initializing cache");
! else {
! retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
! if (retval)
! com_err(argv[0], retval, "while storing credentials");
! else {
! if (xtra_creds) {
! retval = krb5_cc_copy_creds(kcontext, xtra_creds,
! ccache);
! if (retval)
! com_err(argv[0], retval, "while storing credentials");
! krb5_cc_destroy(kcontext, xtra_creds);
! }
! }
! }
}
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
>Audit-Trail:
>Unformatted:
