[9004] in Athena Bugs
a few bugs in the current kerberos sources (not security related)
daemon@ATHENA.MIT.EDU (Mark W. Eichin)
Fri Feb 21 18:56:33 1992
Date: Fri, 21 Feb 92 18:56:10 EST
From: "Mark W. Eichin" <eichin@cygnus.com>
To: bugs@Athena.MIT.EDU
Cc: bug-kerberos@Athena.MIT.EDU
These bugs exist in both the current Athena sources and the
distribution on Athena-dist. These were all observed on the SPARC
under SunOS 4.1.1. There is no apparent security impact of these bugs,
although the first one causes kpropd to fail.
1) kdb_util.c: with certain malloc's, kdb_util load will never
work; the wrong size is used for the filename of the temporary
database (2 bytes shorter instead of 2 bytes longer) causing it to try
(and fail) to create the temporary database with the same name as the
real one.
2) kinit.c: falls off the end, instead of return'ing 0.
3) send_to_kdc.c: malloc is incorrectly assumed to return
zeroed space; hostlist->h_name is passed to free even if it never got
assigned (to demonstrate, kinit in a non-existant realm on a SPARC.
You'll get a core dump. Also demonstrated under 4.1.2.)
_Mark_ <eichin@cygnus.com>
Cygnus Support
One Kendall Square
Cambridge, MA 02138 (617)494-1040
ps. Sorry the patches are reversed; you should read and audit them
anyhow, rather than blindly applying them, as with all changes to
security related software. _Mark_
diff -cr current/kerberos/src/admin/kdb_util.c orig/kerberos/src/admin/kdb_util.c
*** current/kerberos/src/admin/kdb_util.c Fri Feb 21 18:13:21 1992
--- orig/kerberos/src/admin/kdb_util.c Fri Feb 21 18:22:55 1992
***************
*** 224,230 ****
int code;
extern char *sys_errlist[];
char *temp_db_file;
! temp1 = strlen(db_file)+2;
temp_db_file = malloc (temp1);
strcpy(temp_db_file, db_file);
strcat(temp_db_file, "~");
--- 224,230 ----
int code;
extern char *sys_errlist[];
char *temp_db_file;
! temp1 = strlen(db_file+2);
temp_db_file = malloc (temp1);
strcpy(temp_db_file, db_file);
strcat(temp_db_file, "~")
diff -cr current/kerberos/src/kuser/kinit.c orig/kerberos/src/kuser/kinit.c
*** current/kerberos/src/kuser/kinit.c Fri Feb 21 18:16:30 1992
--- orig/kerberos/src/kuser/kinit.c Fri Feb 21 18:26:08 1992
***************
*** 184,190 ****
fprintf(stderr, "%s: %s\n", progname, krb_err_txt[k_errno]);
exit(1);
}
- return 0;
}
usage()
--- 184,189 ----
diff -cr current/kerberos/src/lib/krb/send_to_kdc.c orig/kerberos/src/lib/krb/send_to_kdc.c
*** current/kerberos/src/lib/krb/send_to_kdc.c Fri Feb 21 18:18:00 1992
--- orig/kerberos/src/lib/krb/send_to_kdc.c Fri Feb 21 18:27:41 1992
***************
*** 124,131 ****
hostlist = (struct hostent *) malloc(sizeof(struct hostent));
if (!hostlist)
return (/*errno */SKDC_CANT);
- hostlist->h_name = 0; /* so it gets properly freed at "rtn" */
-
if ((f = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
if (krb_debug)
fprintf(stderr,"%s: Can't open socket\n", prog);
--- 124,129 ----
