RT RT/krbdev.mit.edu: Ticket #5471 krb5_ktfile_get_entry() can invalidate keytab file handle Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
5471
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Version_reported
  • 1.6.1
Version_Fixed
  • 1.6.3
Target_Version
  • 1.6.3
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Fri Mar 16 00:30:27 2007
Starts: Not set
Started: Fri Jul 27 00:38:51 2007
Last Contact: Fri Aug 31 17:38:49 2007
Due: Not set
Updated: Sun Jun 8 06:10:28 2008 by guest
 

 People  
Owner
 raeburn
Requestors
 lukeh@padl.com
Cc
 
AdminCc
 
 

 More about Luke Howard  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Fri Mar 16 00:30:28 2007  lukeh@padl.com - Ticket created    
      
From: Luke Howard <lukeh@padl.com>
To: krb5-bugs@mit.edu
Subject: krb5_ktfile_get_entry() can invalidate keytab file handle
Date: Fri, 16 Mar 2007 15:18:56 +1100
Cc: mc@suse.de, gd@samba.org, samba-maintainers@suse.de

 

      

From:

http://lists.samba.org/archive/samba-technical/2006-March/046171.html

> as the MIT krb5's krb5_rd_req does an explicit close on the keytab when it
> was able to decrypt the ticket (but the ticket is not yet or no longer
> valid), we crash on calling krb5_ktfile_get_entry the next time as the
> krb5_keytab has become invalid. (to reproduce set your clock to a wrong
> time and use "use kerberos keytab = yes).

Although some versions of Samba have a workaround for this, it would
be wise to validate the file handle before deferencing it in kt_file.c.

See attached patch.

regards,

-- Luke
Download (untitled) 603b
      
--- branches/mit-integ/krb5/src/lib/krb5/keytab/kt_file.c	2006/07/06 13:47:57	573
+++ branches/mit-integ/krb5/src/lib/krb5/keytab/kt_file.c	2006/07/25 12:40:18	928
@@ -460,6 +460,10 @@
     kerror = KTLOCK(id);
     if (kerror)
 	return kerror;
+    if (KTFILEP(id) == NULL) {
+	KTUNLOCK(id);
+	return KRB5_KT_IOERR;
+    }
     if (fseek(KTFILEP(id), *fileoff, 0) == -1) {
 	KTUNLOCK(id);
 	return KRB5_KT_END;
Download kt_file.c.diff 412b
      
--
www.padl.com | www.lukehoward.com
Download (untitled) 37b
      Fri Jul 27 00:38:51 2007  raeburn - Given to raeburn    
      Fri Jul 27 00:38:51 2007  raeburn - Status changed from new to resolved    
      Fri Jul 27 00:38:52 2007  raeburn - Correspondence added    
      
From: raeburn@mit.edu
Subject: SVN Commit

Check for null file handle in get_next.
Patch from Luke Howard.

Commit By: raeburn



Revision: 19736
Changed Files:
_U  trunk/
U   trunk/src/lib/krb5/keytab/kt_file.c

Download (untitled) 169b
      Fri Jul 27 11:48:45 2007  raeburn - Component krb5-libs added    
      Fri Jul 27 11:48:46 2007  raeburn - Version_reported 1.6.1 added    
      Fri Jul 27 11:48:46 2007  raeburn - Target_Version 1.6.3 added    
      Fri Jul 27 11:48:46 2007  raeburn - Tags pullup added    
      Fri Aug 31 17:38:46 2007  tlyu - Version_Fixed 1.6.3 added    
      Fri Aug 31 17:38:46 2007  tlyu - Correspondence added    
      
From: tlyu@mit.edu
Subject: SVN Commit

pull up r19736 from trunk

 r19736@cathode-dark-space:  raeburn | 2007-07-27 00:38:46 -0400
 ticket: 5471

 Check for null file handle in get_next.
 Patch from Luke Howard.



Commit By: tlyu



Revision: 19907
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/lib/krb5/keytab/kt_file.c

Download (untitled) 303b