RT RT/krbdev.mit.edu: Ticket #2881 Crash on exit in mitkfw 2.6.5 after krb5_copy_cred call in cc_mslsa.c Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
2881
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Tags
Version_reported
  • 1.4
Version_Fixed
  • 1.4
Target_Version
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
  • 2870: (jaltman) Crash on exit in mitkfw 2.6.5 [resolved]
Referred to by:
 
 Dates  
Created: Fri Jan 14 10:44:53 2005
Starts: Not set
Started: Not set
Last Contact: Tue Jan 18 12:54:34 2005
Due: Not set
Updated: Wed Dec 16 18:02:44 2015 by tlyu
 

 People  
Owner
 jaltman
Requestors
 Andrei.Keis@morganstanley.com
Cc
 
AdminCc
 
 

 More about Andrei.Keis@morganstanley.com  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Fri Jan 14 10:44:54 2005  jaltman - Ticket created    
     
Subject: Crash on exit in mitkfw 2.6.5 after krb5_copy_cred call in cc_mslsa.c

The applied patch in ticket 2870 did not fix the problem.



Download (untitled) 59b
      Fri Jan 14 10:45:18 2005  jaltman - Component krb5-libs added    
      Fri Jan 14 10:45:19 2005  jaltman - Version_reported 1.4 added    
      Fri Jan 14 10:45:39 2005  jaltman - Ticket 2881 RefersTo ticket 2870.    
      Fri Jan 14 16:00:41 2005  jaltman - Comments added    
     
A previously unreported but crucial piece of information.  The crash
only occurs if the requested service ticket does not previously exist in
the LSA ccache.

I think I now have a test case I can use to reproduce the crash.


Download (untitled) 223b
      Fri Jan 14 22:13:34 2005  jaltman - Correspondence added    
     
Andrei:

Please try the following patches:

Index: copy_princ.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/copy_princ.c,v
retrieving revision 5.24
diff -u -w -r5.24 copy_princ.c
--- copy_princ.c        3 Sep 2002 01:13:45 -0000       5.24
+++ copy_princ.c        15 Jan 2005 03:11:37 -0000
@@ -60,31 +60,35 @@
     for (i = 0; i < nelems; i++) {
        unsigned int len = krb5_princ_component(context, inprinc,
i)->length;
        krb5_princ_component(context, tempprinc, i)->length = len;
+        if (len) {
        if (((krb5_princ_component(context, tempprinc, i)->data =
-             malloc(len)) == 0) && len) {
+                   malloc(len)) == 0)) {
            while (--i >= 0)
                free(krb5_princ_component(context, tempprinc, i)->data);
            free (tempprinc->data);
            free (tempprinc);
            return ENOMEM;
        }
-       if (len)
            memcpy(krb5_princ_component(context, tempprinc, i)->data,
                   krb5_princ_component(context, inprinc, i)->data, len);
+        } else
+            krb5_princ_component(context, tempprinc, i)->data = 0;
     }

+    if (tempprinc->realm.length) {
     tempprinc->realm.data =
            malloc(tempprinc->realm.length = inprinc->realm.length);
-    if (!tempprinc->realm.data && tempprinc->realm.length) {
+        if (!tempprinc->realm.data) {
            for (i = 0; i < nelems; i++)
                    free(krb5_princ_component(context, tempprinc, i)->data);
            free(tempprinc->data);
            free(tempprinc);
            return ENOMEM;
     }
-    if (tempprinc->realm.length)
        memcpy(tempprinc->realm.data, inprinc->realm.data,
               inprinc->realm.length);
+    } else
+        tempprinc->realm.data = 0;

     *outprinc = tempprinc;
     return 0;

Index: cp_key_cnt.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/cp_key_cnt.c,v
retrieving revision 5.12
diff -u -w -r5.12 cp_key_cnt.c
--- cp_key_cnt.c        3 Sep 2002 01:13:45 -0000       5.12
+++ cp_key_cnt.c        15 Jan 2005 03:11:37 -0000
@@ -36,9 +36,12 @@
 krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock
*from, krb5_keyblock *to)
 {
     *to = *from;
+    if (to->length) {
     to->contents = (krb5_octet *)malloc(to->length);
     if (!to->contents)
        return ENOMEM;
     memcpy((char *)to->contents, (char *)from->contents, to->length);
+    } else
+        to->contents = 0;
     return 0;
 }


Download (untitled) 2.5k
      Sat Jan 15 01:34:13 2005  jaltman - Status changed from open to resolved    
      Sat Jan 15 01:34:14 2005  jaltman - Target_Version 1.4 added    
      Sat Jan 15 01:34:14 2005  jaltman - Correspondence added    
     
From: jaltman@mit.edu
Subject: CVS Commit

  * cp_key_cnt.c, copy_princ.c:
    prevent krb5_copy_principal() and krb5_copy_keyblock() from
    calling malloc(0).  On platforms in which malloc(0) returns
    NULL, these functions will return an ENOMEM error the way
    they were written.


To generate a diff of this commit:



	cvs diff -r5.457 -r5.458 krb5/src/lib/krb5/krb/ChangeLog
	cvs diff -r5.24 -r5.25 krb5/src/lib/krb5/krb/copy_princ.c
	cvs diff -r5.12 -r5.13 krb5/src/lib/krb5/krb/cp_key_cnt.c


Download (untitled) 461b
      Sat Jan 15 15:52:33 2005  jaltman - Comments added    
     
Confirmation has been received from Andrei that the patch does indeed
prevent the random memory corruption.


Download (untitled) 108b
      Sat Jan 15 15:52:52 2005  jaltman - Tags pullup added    
      Sat Jan 15 15:53:04 2005  jaltman - Keyword 1.4 deleted    
      Tue Jan 18 12:54:30 2005  tlyu - Version_Fixed 1.4 added    
      Tue Jan 18 12:54:31 2005  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: CVS Commit

pullup from trunk


To generate a diff of this commit:



	cvs diff -r5.455.2.1 -r5.455.2.2 krb5/src/lib/krb5/krb/ChangeLog
	cvs diff -r5.24 -r5.24.10.1 krb5/src/lib/krb5/krb/copy_princ.c
	cvs diff -r5.12 -r5.12.10.1 krb5/src/lib/krb5/krb/cp_key_cnt.c


Download (untitled) 252b
      Wed Dec 16 18:02:44 2015  tlyu - Keyword pullup deleted