[3256] in Kerberos-V5-bugs
krb5-admin/1001: Patch for kadmin hang
daemon@ATHENA.MIT.EDU (ratliff@austin.ibm.com)
Tue Oct 2 13:02:03 2001
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, ratliff@austin.ibm.com
Message-Id: <20011002170138.C00B682C06@spiff.austin.ibm.com>
Date: Tue, 2 Oct 2001 12:01:38 -0500 (CDT)
From: ratliff@austin.ibm.com
Reply-To: ratliff@austin.ibm.com
To: krb5-bugs@mit.edu, ratliff@austin.ibm.com
>Number: 1001
>Category: krb5-admin
>Synopsis: kadmin hangs on erroneous input rather than giving error msg
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 2 13:02:00 EDT 2001
>Last-Modified:
>Originator: Emily Ratliff
>Organization:
IBM Linux Technology Center, Security
>Release: krb5-1.2.2
>Environment:
System: Linux spiff.austin.ibm.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown
Architecture: i686
>Description:
kadmin hangs when presented with bad input in the form of an
invalid principal. A couple of examples of principals that will
cause the hang:
mike\\@
@mike/admin@REALM
If the @ is escaped or is the first symbol of a principal, the
else branch of the principal parsing code in kadmin.c is executed.
The else branch does a strchr(cp, '@') but since the first character
of cp is an @, the original value is returned and cp is not updated.
This makes the while loop endlessly causing the hang. It is fairly
harmless because you can ^C out of it and return to the kadmin
prompt, but getting the error message would be nicer.
I originally sent this to the krbdev mailing list, but it really
belongs here. I apologize for the mistake.
>How-To-Repeat:
$ kadmin
kadmin: addprinc mi\@ke/admin@REALM
<hang>
>Fix:
diff -ur src.old/kadmin/cli/kadmin.c src/kadmin/cli/kadmin.c
--- src.old/kadmin/cli/kadmin.c Thu Sep 13 15:38:48 2001
+++ src/kadmin/cli/kadmin.c Fri Sep 21 14:30:52 2001
@@ -158,7 +158,7 @@
if (cp - fullname && *(cp - 1) != '\\')
break;
else
- cp = strchr(cp, '@');
+ cp = strchr((cp + 1), '@');
}
if (cp == NULL) {
strcat(fullname, "@");
>Audit-Trail:
>Unformatted:
