RT RT/krbdev.mit.edu: Ticket #1770 [Maurice Massar] Bug#206851: krb5-kdc: krb5kdc segfaults on startup Signed in as guest.

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]


 The Basics  
0 min

 Keyword Selections  
  • 1.3
  • 1.3.2
  • 1.3.2

Depends on:
Depended on by:

Refers to:
Referred to by:
Created: Sun Aug 24 14:35:10 2003
Starts: Not set
Started: Tue Aug 26 12:57:35 2003
Last Contact: Mon Sep 29 15:07:45 2003
Due: Not set
Updated: Wed Dec 16 18:02:41 2015 by tlyu

 hartmans@debian.org, paul@clubi.ie

 More about Sam Hartman  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 More about paul@clubi.ie  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

History   Display mode: [Brief headers] [Full headers]
      Sun Aug 24 14:35:11 2003  hartmans@debian.org - Ticket created    
To: krb5-bugs@mit.edu
Cc: 206851-forwarded@bugs.debian.org
Subject: [Maurice Massar] Bug#206851: krb5-kdc: krb5kdc segfaults on startup
From: Sam Hartman <hartmans@debian.org>
Date: Sun, 24 Aug 2003 14:35:02 -0400

Return-Path: <debbugs@master.debian.org>
Received: from solipsist-nation ([unix socket])
	by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Sat, 23 Aug
 2003 10:03:22 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <debbugs@master.debian.org>
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	by suchdamage.org (Postfix) with ESMTP id B61DC1324F
	for <hartmans@suchdamage.org>; Sat, 23 Aug 2003 10:03:20 -0400 (EDT)
Received: from master.debian.org (master.debian.org [])
	by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h7NE3K5a004251
	for <hartmans@mit.edu>; Sat, 23 Aug 2003 10:03:20 -0400 (EDT)
Received: from debbugs by master.debian.org with local (Exim 3.35 1
	id 19qYyv-0006RJ-00; Sat, 23 Aug 2003 09:03:05 -0500
X-Loop: owner@bugs.debian.org
Subject: Bug#206851: krb5-kdc: krb5kdc segfaults on startup
Reply-To: Maurice Massar <massar@unix-ag.uni-kl.de>,
Resent-From: Maurice Massar <massar@unix-ag.uni-kl.de>
Original-Sender: TOMOE Hotaru <rm@hsg.kaiserslautern.de>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: Sam Hartman <hartmans@debian.org>
Resent-Date: Sat, 23 Aug 2003 14:03:04 UTC
Resent-Message-ID: <handler.206851.B.106164683411371@bugs.debian.org>
X-Debian-PR-Message: report 206851
X-Debian-PR-Package: krb5-kdc
X-Debian-PR-Keywords: patch sid
Received: via spool by submit@bugs.debian.org id=B.106164683411371
          (code B ref -1); Sat, 23 Aug 2003 14:03:04 UTC
Received: (at submit) by bugs.debian.org; 23 Aug 2003 13:53:54 +0000
Received: from pd9e38415.dip.t-dialin.net
 (linux1.hsg.schulen.kaiserslautern.de) []
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 19qYpt-0002vy-00; Sat, 23 Aug 2003 08:53:45 -0500
Received: from rm by linux1.hsg.schulen.kaiserslautern.de with local (Exim
 3.36 #1 (Debian))
	id 19qYpn-0005iT-00; Sat, 23 Aug 2003 15:53:39 +0200
From: Maurice Massar <massar@unix-ag.uni-kl.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
X-Mailer: reportbug 2.24
Date: Sat, 23 Aug 2003 15:53:39 +0200
Message-Id: <E19qYpn-0005iT-00@linux1.hsg.schulen.kaiserslautern.de>
Sender: TOMOE Hotaru <rm@hsg.kaiserslautern.de>
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@master.debian.org>
X-Spam-Status: No, hits=-9.5 required=5.0
MIME-Version: 1.0

Package: krb5-kdc
Version: 1.3-2
Severity: important
Tags: sid patch


on my System krb5kdc segfaults on startup.
syslog shows this:
Aug 23 14:30:21 linux1 krb5kdc[10198]: setting up network...
Aug 23 14:30:21 linux1 krb5kdc[10198]: setting up network...
Aug 23 14:30:21 linux1 krb5kdc[10198]: skipping unrecognized local address family 17
Aug 23 14:30:21 linux1 last message repeated 7 times
(it looks like all messages get logged twice, but I haven't checked yet if
this is not a local config problem on my system)

I debugged this with gdb and found that the problem is in
krb5-1.3/src/include/foreachaddr.c, where foreach_localaddr()
assumes that getifaddrs() never returns an entry with ifp->ifa_addr == NULL

writing a small test program I found that to be not the case on my system:
ifaddr @ 0x0x804a2bc
next: 0x0x804a340
name: `ppp0'
flags: 0x10D1
addr: (null)
netmask: (null)
broadaddr: (null)
dstaddr: (null)
data: 0x0x804a92c

this small patch should solve that

--- krb5-1.3.orig/src/include/foreachaddr.c
+++ krb5-1.3/src/include/foreachaddr.c
@@ -382,6 +382,8 @@
        if ((ifp->ifa_flags & IFF_UP) == 0)
+       if (!ifp->ifa_addr)
+           continue;
        if (ifp->ifa_flags & IFF_LOOPBACK) {
            ifp->ifa_flags &= ~IFF_UP;
@@ -393,6 +395,8 @@
            if (ifp2->ifa_flags & IFF_LOOPBACK)
+           if (!ifp2->ifa_addr)
+               continue;
            if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) {
                match = 1;
                ifp->ifa_flags &= ~IFF_UP;

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux linux1 2.4.21-2-686 #1 Sat Jul 5 00:38:35 EST 2003 i686

Versions of packages krb5-kdc depends on:
ii  debconf       1.3.11                     Debian configuration management sy
ii  krb5-user     1.3-2                      Basic programs to authenticate usi
ii  libc6         2.3.2-3                    GNU C Library: Shared libraries an
ii  libcomerr2    1.34+1.35-WIP-2003.08.21-2 The Common Error Description libra
ii  libkadm55     1.3-2                      MIT Kerberos administration runtim
ii  libkrb53      1.3-2                      MIT Kerberos runtime libraries

-- debconf information:
  krb5-kdc/debconf: yes
  krb5-kdc/run-krb524: true
* krb5-kdc/krb4-mode: nopreauth

Download (untitled) 4.7k
      Mon Aug 25 12:27:01 2003  raeburn - Comments added    
To: rt-comment@krbdev.mit.edu
Cc: krb5-prs@MIT.EDU
Cc: Maurice Massar <massar@unix-ag.uni-kl.de>
Subject: Re: [krbdev.mit.edu #1770] [Maurice Massar] Bug#206851: krb5-kdc: krb5kdc segfaults on startup
From: Ken Raeburn <raeburn@MIT.EDU>
Date: Mon, 25 Aug 2003 12:26:57 -0400

Ah, so there's a non-BSD system that supports getifaddrs now?
I'll update my 'testing' chroot environment and try it out.

Thanks for the patch.  Something like it will probably find its way
into our source tree shortly.


Download (untitled) 227b
      Tue Aug 26 12:49:05 2003  raeburn - Taken    
      Tue Aug 26 12:53:40 2003  raeburn - Comments added    
I can't reproduce the problem, but I don't have any PPP links on my
system at the moment, and it's not running the latest kernel.  Patching

Download (untitled) 151b
      Tue Aug 26 12:57:35 2003  raeburn - Version_reported 1.3 added    
      Tue Aug 26 12:57:35 2003  raeburn - Status changed from new to resolved    
      Tue Aug 26 12:57:35 2003  raeburn - Tags pullup added    
      Tue Aug 26 12:57:36 2003  raeburn - Target_Version 1.3.2 added    
      Tue Aug 26 12:57:36 2003  raeburn - Correspondence added    
From: raeburn@mit.edu
Subject: CVS Commit

* foreachaddr.c (foreach_localaddr) [HAVE_IFADDRS_H]: Skip over any returned
data structure with a NULL ifa_addr field.

To generate a diff of this commit:

	cvs diff -r1.384 -r1.385 krb5/src/include/ChangeLog
	cvs diff -r1.3 -r1.4 krb5/src/include/foreachaddr.c

Download (untitled) 266b
      Mon Sep 29 15:07:43 2003  tlyu - Version_Fixed 1.3.2 added    
      Mon Sep 29 15:07:43 2003  tlyu - Correspondence added    
From: tlyu@mit.edu
Subject: CVS Commit

pullup from trunk

To generate a diff of this commit:

	cvs diff -r1.348.2.23 -r1.348.2.24 krb5/src/include/ChangeLog
	cvs diff -r1.3 -r1.3.2.1 krb5/src/include/foreachaddr.c

Download (untitled) 178b
      Tue Jan 13 05:33:29 2004  RT_System - Ticket 2115: Ticket created    
From paul@clubi.ie  Tue Jan 13 05:33:27 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU []) by
krbdev.mit.edu (8.9.3p2) with ESMTP
	id FAA28364; Tue, 13 Jan 2004 05:33:26 -0500 (EST)
Received: from hibernia.jakma.org (hibernia.jakma.org [])
	by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id i0DAXPPg029876
	for <krb5-bugs@mit.edu>; Tue, 13 Jan 2004 05:33:25 -0500 (EST)
Received: from fogarty.jakma.org (IDENT:500@fogarty.jakma.org [])
	by hibernia.jakma.org (8.12.10/8.12.10) with ESMTP id i0DAXNWS003478
	for <krb5-bugs@mit.edu>; Tue, 13 Jan 2004 10:33:24 GMT
Date: Tue, 13 Jan 2004 10:33:23 +0000 (GMT)
From: Paul Jakma <paul@clubi.ie>
X-X-Sender: paul@fogarty.jakma.org
To: krb5-bugs@mit.edu
Subject: SEGV in include/foreachaddr.c on startup
Message-ID: <Pine.LNX.4.56.0401131032450.19909@fogarty.jakma.org>
X-NSA: iraq saddam hammas hisballah rabin ayatollah korea vietnam revolt mustard gas
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

>Submitter-Id:	net
Paul Jakma	paul@clubi.ie paul@jakma.org
PGP5 public key: http://www.clubi.ie/jakma/publickey.txt
>Confidential:	no
>Synopsis:	kdc segfaults in/below foreach_localaddr
>Severity:	serious
>Priority:	high
>Category:	krb5-kdc
>Class:		sw-bug
>Release:	krb5-1.3.1

System: Linux hibernia.jakma.org 2.4.22-1.2140.nptl #1 Tue Jan 6 20:21:24 EST 2004
i586 i586 i386 GNU/Linux
Architecture: i586


kdc segfaults on startup in 3 places below foreach_localaddr due to
dereferencing incomplete interface structures. When calling addr_eq at ~
396 and when calling the *pass1fn() callback at approx line 402. In both
cases its due to the ifa_addr member of either ifp or ifp2 being NULL.

SEGV in addr_eq due to ifp->ifa_addr being NULL:

(gdb) bt
#0  addr_eq (s1=0x0, s2=0x9a398cc) at foreachaddr.c:205
#1  0x08053796 in foreach_localaddr (data=0xbff02d28,
    pass1fn=0x8053d0c <setup_udp_port>, betweenfn=0, pass2fn=0)
    at foreachaddr.c:396
#2  0x08054143 in setup_network (prog=0xbff86b6c "krb5kdc") at
#3  0x080530ae in main (argc=1, argv=0xbff02dd4) at main.c:685

SEGV in setup_udp_port, due to passing in NULL ifp->ifa_addr.

(gdb) bt
#0  0x08053d31 in setup_udp_port (P_data=0xbff7c8f8, addr=0x0) at
#1  0x08053777 in foreach_localaddr (data=0xbff7c8f8,
    pass1fn=0x8053d10 <setup_udp_port>, betweenfn=0, pass2fn=0)
    at foreachaddr.c:402
#2  0x08054147 in setup_network (prog=0xbffe0b6c "krb5kdc") at network.c:656
#3  0x080530ae in main (argc=1, argv=0xbff7c9a4) at main.c:685

SEGV in addr_eq again, but ifp2->ifa_addr is NULL.

(gdb) bt
#0  0x080534a6 in addr_eq (s1=0x96aa9d4, s2=0x0) at foreachaddr.c:205
#1  0x080537a6 in foreach_localaddr (data=0xbff61318,
    pass1fn=0x8053d1c <setup_udp_port>, betweenfn=0, pass2fn=0)
    at foreachaddr.c:398
#2  0x08054153 in setup_network (prog=0xbff92b6c "krb5kdc") at network.c:656
#3  0x080530ae in main (argc=1, argv=0xbff613c4) at main.c:685


I'm not sure how to repeat, but if one can arrange a system to have either
ifp->ifa_addr and/or ifp2->if_addr be NULL the crash can be reproduced.

The network interface setup on my system is as follows:

# ip address show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet brd scope host lo
    inet6 ::1/128 scope host
2: sit0@NONE: <NOARP> mtu 1480 qdisc noop
    link/sit brd
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:60:97:54:1e:c9 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
    inet6 fe80::260:97ff:fe54:1ec9/64 scope link
    inet6 2001:770:105:1:260:97ff:fe54:1ec9/64 scope global
14: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc cbq qlen 3
    inet peer scope global ppp0
15: sixxs@NONE: <POINTOPOINT,NOARP,UP> mtu 1280 qdisc noqueue
    link/sit peer
    inet6 fe80::d54f:21a8/128 scope link
    inet6 2001:770:100:8::2/64 scope global


The below patch fixes the problem for me, by simply ignoring interfaces
whose ifa_addr is NULL. To what extent it papers over a deeper problem I do
not unfortunately know.

--- krb5-1.3.1/src/include/foreachaddr.c.orig	2002-09-03 23:11:02.000000000 +0100
+++ krb5-1.3.1/src/include/foreachaddr.c	2004-01-13 10:10:57.000000000 +0000
@@ -380,6 +380,8 @@
 #ifdef DEBUG
 	printifaddr (ifp);
+	if (ifp->ifa_addr == NULL)
+	    continue;
 	if ((ifp->ifa_flags & IFF_UP) == 0)
 	if (ifp->ifa_flags & IFF_LOOPBACK) {
@@ -388,7 +390,8 @@
 	/* If this address is a duplicate, punt.  */
 	match = 0;
-	for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
+	for (ifp2 = ifp_head; ifp2 && ifp2->ifa_addr && ifp2 != ifp;
+						ifp2 = ifp2->ifa_next) {
 	    if ((ifp2->ifa_flags & IFF_UP) == 0)
 	    if (ifp2->ifa_flags & IFF_LOOPBACK)

Download (untitled) 4.9k
      Tue Jan 13 05:33:31 2004  RT_System - Ticket 2115: Component krb5-kdc added    
      Tue Jan 13 05:33:32 2004  RT_System - Ticket 2115: Version_reported 1.3.1 added    
      Tue Feb  3 00:33:21 2004  tlyu - Ticket 2115: Ticket 2115 MergedInto ticket 1770.    
      Wed Dec 16 18:02:41 2015  tlyu - Keyword pullup deleted