RT RT/krbdev.mit.edu: Ticket #5766 MSLSA krb5_cc module fails to check success of UNICODE string conversions Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
5766
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Version_reported
  • 1.6.2
Version_Fixed
  • 1.6.3
Target_Version
  • 1.6.3
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
  • 5765: (jaltman) KRB5: BUG: krb5_cc_resolve is crashing in windows XP j [resolved]
Parents:
  • 5691: (jaltman) Post KFW 3.2.1 Tracking Ticket [resolved]
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Mon Sep 24 13:46:31 2007
Starts: Not set
Started: Mon Sep 24 13:46:34 2007
Last Contact: Mon Oct 1 19:13:09 2007
Due: Not set
Updated: Tue Jun 17 11:53:18 2008 by guest
 

 People  
Owner
 jaltman
Requestors
 jaltman@mit.edu
Cc
 
AdminCc
 
 

 More about Jeffrey Altman  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Sep 24 13:46:31 2007  jaltman - Ticket created    
      
From: jaltman@mit.edu
Subject: SVN Commit

The MSLSA krb5_cc module was written with an assumption that probably does not
hold true anymore.  It assumed that all Kerberos strings although stored in
wide character data structures could in fact be represented in the application's
ANSI code page and that such conversions would not fail.

The UnicodeToANSI() function did not check the result of WideCharToMultiByte()
for success.  If the conversion failed, this could result in the caller believing
the contents of the output string buffer were a valid string when instead they
were simply stack garbage.

The UnicodeStringToMITPrinc() and KerbExternalNameToMITPrinc() functions did not
check the return value of krb5_parse_name() for success.  If krb5_parse_name()
was passed a pointer to garbage on the stack instead of an actual principal name,
this could result in the caller believing the output krb5_principal * was valid
when instead it was NULL.

The function CacheInfoEx2ToMITCred() is dependent on the success or failure of
UnicodeStringToMITPrinc() assumed it could not fail and did not return a
success or failure indication to its caller.

If Microsoft a formatted ticket contains a Unicode string that can not be
represented in the application's ANSI code page, this could result in a NULL
pointer dereference during a call to krb5_cc_resolve("MSLSA:") or
krb5_cc_retrieve(), or krb5_cc_get_principal().

With the changes in this commit, tickets containing principal names that cannot
be represented in the application's ANSI code page will be hidden from the
application.


Commit By: jaltman



Revision: 19969
Changed Files:
U   trunk/src/lib/krb5/ccache/cc_mslsa.c

Download (untitled) 1.6k
      Mon Sep 24 13:46:34 2007  jaltman - Requestor jaltman@mit.edu added    
      Mon Sep 24 13:46:34 2007  jaltman - Status changed from new to resolved    
      Mon Sep 24 13:51:00 2007  jaltman - Component krb5-libs added    
      Mon Sep 24 13:51:00 2007  jaltman - Version_reported 1.6.2 added    
      Mon Sep 24 14:50:03 2007  jaltman - Correspondence added    
      
From: jaltman@mit.edu
Subject: SVN Commit

Remove the broken optimization from UnicodeToANSI() that attempted
in a stupid way to avoid to WideCharToMultiByte() call by testing
to see if the second byte (not wchar) was NUL.  This test works
for Latin1 but not for anything more interesting.  Always call
WideCharToMultiByte().

I commented out the use of WC_NO_BEST_FIT_CHARS in order to
provide compatibility with Windows.  Windows converts the user
name without that option.

With the current code a principal name consisting of a single
component equivalent to the Greek character Sigma and a realm
name will be converted to S@REALM exactly as the "WhoAmI"
command does.  If WC_NO_BEST_FIT_CHARS was specified, this
string would be converted to "?@REALM".


Commit By: jaltman



Revision: 19970
Changed Files:
U   trunk/src/lib/krb5/ccache/cc_mslsa.c

Download (untitled) 822b
      Fri Sep 28 17:42:34 2007  jaltman - Target_Version 1.6.4 added    
      Fri Sep 28 17:42:35 2007  jaltman - Tags pullup added    
      Fri Sep 28 18:20:03 2007  tlyu - Target_Version 1.6.4 changed to 1.6.3    
      Mon Oct  1 19:12:50 2007  tlyu - Correspondence added    
      
From: tlyu@mit.edu
Subject: SVN Commit

pull up r19969 from trunk

 r19969@cathode-dark-space:  jaltman | 2007-09-24 13:46:26 -0400
 ticket: new
 subject: MSLSA krb5_cc module fails to check success of UNICODE string conversions

 The MSLSA krb5_cc module was written with an assumption that probably does not
 hold true anymore.  It assumed that all Kerberos strings although stored in
 wide character data structures could in fact be represented in the application's
 ANSI code page and that such conversions would not fail.

 The UnicodeToANSI() function did not check the result of WideCharToMultiByte()
 for success.  If the conversion failed, this could result in the caller believing
 the contents of the output string buffer were a valid string when instead they
 were simply stack garbage.

 The UnicodeStringToMITPrinc() and KerbExternalNameToMITPrinc() functions did not
 check the return value of krb5_parse_name() for success.  If krb5_parse_name()
 was passed a pointer to garbage on the stack instead of an actual principal name,
 this could result in the caller believing the output krb5_principal * was valid
 when instead it was NULL.

 The function CacheInfoEx2ToMITCred() is dependent on the success or failure of
 UnicodeStringToMITPrinc() assumed it could not fail and did not return a
 success or failure indication to its caller.

 If Microsoft a formatted ticket contains a Unicode string that can not be
 represented in the application's ANSI code page, this could result in a NULL
 pointer dereference during a call to krb5_cc_resolve("MSLSA:") or
 krb5_cc_retrieve(), or krb5_cc_get_principal().

 With the changes in this commit, tickets containing principal names that cannot
 be represented in the application's ANSI code page will be hidden from the
 application.




Commit By: tlyu



Revision: 20046
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/lib/krb5/ccache/cc_mslsa.c

Download (untitled) 1.8k
      Mon Oct  1 19:13:06 2007  tlyu - Version_Fixed 1.6.3 added    
      Mon Oct  1 19:13:06 2007  tlyu - Correspondence added    
      
From: tlyu@mit.edu
Subject: SVN Commit

pull up r19970 from trunk

 r19970@cathode-dark-space:  jaltman | 2007-09-24 14:49:58 -0400
 ticket: 5766

 Remove the broken optimization from UnicodeToANSI() that attempted
 in a stupid way to avoid to WideCharToMultiByte() call by testing
 to see if the second byte (not wchar) was NUL.  This test works
 for Latin1 but not for anything more interesting.  Always call
 WideCharToMultiByte().

 I commented out the use of WC_NO_BEST_FIT_CHARS in order to
 provide compatibility with Windows.  Windows converts the user
 name without that option.

 With the current code a principal name consisting of a single
 component equivalent to the Greek character Sigma and a realm
 name will be converted to S@REALM exactly as the "WhoAmI"
 command does.  If WC_NO_BEST_FIT_CHARS was specified, this
 string would be converted to "?@REALM".




Commit By: tlyu



Revision: 20047
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/lib/krb5/ccache/cc_mslsa.c

Download (untitled) 981b