RT RT/krbdev.mit.edu: Ticket #8666 KDC null dereference when TGS reply is too big for UDP Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
8666
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.15.3
  • 1.16.1
Target_Version
  • 1.15-next
  • 1.16-next
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Wed Apr 18 17:09:57 2018
Starts: Not set
Started: Wed Apr 18 17:21:10 2018
Last Contact: Wed May 2 01:26:06 2018
Due: Not set
Updated: Wed May 2 10:16:07 2018 by ghudson
 

 People  
Owner
 ghudson
Requestors
 rharwood@redhat.com
Cc
 
AdminCc
 
 

 More about Robbie Harwood  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Wed Apr 18 17:09:57 2018  rharwood@redhat.com - Ticket created    
     
From: Robbie Harwood <rharwood@redhat.com>
To: krb5-bugs@mit.edu
Subject: Explicit NULL deref in finish_dispatch()
Date: Wed, 18 Apr 2018 16:18:25 -0400

 

     
In dispatch.c, dispatch() allocates a dispatch_state structure called
state, and initializes some fields.  However, unless krb5_is_as_req(pkt)
is true, state->active_realm does not get initialized before the state
object is passed to finish_dispatch_cache.

finish_dispatch_cache() passes through state to finish_dispatch().

finish_dispatch() invokes the kdc_context macro in a call to
krb5_free_data(), which dereferences state->active_realm (for
realm_tgsprinc).

This is an explicit NULL dereference.  Worth noting also is that
make_too_big_error() will attempt to dereference the same value later in
finish_dispatch().

Thanks,
--Robbie

Download (untitled) 642b
     
 
Download signature.asc 832b
      Wed Apr 18 17:21:10 2018  ghudson - Status changed from new to open    
      Wed Apr 18 17:21:11 2018  ghudson - Correspondence added    
     
I guess this happens any time a response to a TGS request is too big to
fit into a datagram, which is rare with the DB2 or LDAP KDB module but
could easily happen with a KDB module supporting PACs.

We also need to figure out when this bug was introduced.  It might have
been commit 0a2f14f752c32a24200363cc6b6ae64a92f81379 but not
necessarily.  I can do that research.


Download (untitled) 373b
      Thu Apr 19 13:31:00 2018  ghudson - Subject changed from Explicit NULL deref in finish_dispatch() to KDC null dereference when TGS reply is too big for UDP    
      Thu Apr 19 14:35:30 2018  ghudson - Correspondence added    
     
Using a test case, I verified that prior to
0a2f14f752c32a24200363cc6b6ae64a92f81379, the KDC successfully responds
to a TGS request with a too-big error if the reply length exceeds
max_dgram_reply_size, and after that commit the KDC seg faults with a
null dereference.


Download (untitled) 273b
      Mon Apr 23 20:17:25 2018  ghudson - Given to ghudson    
      Mon Apr 23 20:17:26 2018  ghudson - Tags pullup added    
      Mon Apr 23 20:17:26 2018  ghudson - Status changed from open to resolved    
      Mon Apr 23 20:17:26 2018  ghudson - Target_Version 1.16-next added    
      Mon Apr 23 20:17:26 2018  ghudson - Target_Version 1.15-next added    
      Mon Apr 23 20:17:26 2018  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Fix KDC null dereference on large TGS replies

For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP.  Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().

Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response.  Add a test
case.

[ghudson@mit.edu: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]

https://github.com/krb5/krb5/commit/6afa8b4abf8f7c5774d03e6b15ee7288ad68d725
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 6afa8b4abf8f7c5774d03e6b15ee7288ad68d725
Branch: master
 src/kdc/Makefile.in   |    1 +
 src/kdc/dispatch.c    |   48 +++++++++++++++++++++++++++---------------------
 src/kdc/do_tgs_req.c  |   24 ++++++------------------
 src/kdc/kdc_util.h    |    5 ++---
 src/kdc/t_bigreply.py |   19 +++++++++++++++++++
 5 files changed, 55 insertions(+), 42 deletions(-)


Download (untitled) 1.1k
      Wed May  2 01:25:43 2018  ghudson - Version_Fixed 1.16.1 added    
      Wed May  2 01:25:43 2018  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Fix KDC null dereference on large TGS replies

For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP.  Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().

Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response.  Add a test
case.

[ghudson@mit.edu: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]

(cherry picked from commit 6afa8b4abf8f7c5774d03e6b15ee7288ad68d725)

https://github.com/krb5/krb5/commit/086b505b7248ec78502857d6dac72a57c59b36e8
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 086b505b7248ec78502857d6dac72a57c59b36e8
Branch: krb5-1.16
 src/kdc/Makefile.in   |    1 +
 src/kdc/dispatch.c    |   48 +++++++++++++++++++++++++++---------------------
 src/kdc/do_tgs_req.c  |   24 ++++++------------------
 src/kdc/kdc_util.h    |    5 ++---
 src/kdc/t_bigreply.py |   19 +++++++++++++++++++
 5 files changed, 55 insertions(+), 42 deletions(-)


Download (untitled) 1.2k
      Wed May  2 01:26:06 2018  ghudson - Version_Fixed 1.15.3 added    
      Wed May  2 01:26:06 2018  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Fix KDC null dereference on large TGS replies

For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP.  Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().

Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response.  Add a test
case.

[ghudson@mit.edu: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]

(cherry picked from commit 6afa8b4abf8f7c5774d03e6b15ee7288ad68d725)

https://github.com/krb5/krb5/commit/be1e46f32c603cde7880cf07ed830a7320e959e1
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: be1e46f32c603cde7880cf07ed830a7320e959e1
Branch: krb5-1.15
 src/kdc/Makefile.in   |    1 +
 src/kdc/dispatch.c    |   46 ++++++++++++++++++++++++++--------------------
 src/kdc/do_tgs_req.c  |   24 ++++++------------------
 src/kdc/kdc_util.h    |    5 ++---
 src/kdc/t_bigreply.py |   12 ++++++++++++
 5 files changed, 47 insertions(+), 41 deletions(-)


Download (untitled) 1.1k
      Wed May  2 10:16:07 2018  ghudson - Keyword pullup deleted