RT RT/krbdev.mit.edu: Ticket #5980 krb5_cc_default_name() can return NULL, but is passed directly to strcmp() (causing crash) Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
5980
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Version_reported
  • 1.6.3
Version_Fixed
  • 1.6.4
Target_Version
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Fri Jun 13 14:24:03 2008
Starts: Not set
Started: Fri Jun 20 16:43:43 2008
Last Contact: Mon Jul 21 18:59:48 2008
Due: Not set
Updated: Mon Jul 21 18:59:48 2008 by tlyu
 

 People  
Owner
 jaltman
Requestors
 
Cc
 datallah@pidgin.im
AdminCc
 
 


History   Display mode: [Brief headers] [Full headers]
      Fri Jun 13 14:24:03 2008  guest - Ticket created    
      
Subject: krb5_cc_default_name() can return NULL, but is passed directly to
CC: datallah@pidgin.im

I've been running into an issue where occasionally when there's a
network change, I'm running into a crash because a NULL pointer is
passed to strcmp().

To provide some background, I'm using the MIT Kerberos for Windows
GSSAPI (version 3.2.2) functionality in the GSSAPI plugin for
Cyrus-SASL.

Immediately before the crash, an error popup is displayed saying:

Internal credentials cache error
(Kerberos error 196)
krb5_cc_next_cred() failed

The crash occurs as soon as I dismiss the popup.

A partially complete stacktrace is below; I'm not sure why it isn't
unwinding the last frames correctly to get to where the strcmp is
actually called, I've seen this sometimes with the utility i'm using
(exchndl.dll from the mingw-tools).
I think it is somehow getting messed up by the leash dll being loaded
dynamically.
-------------------
Error occured on Tuesday, June 10, 2008 at 08:26:04.

Windows Version 5.1 Build 2600 Service Pack 2

C:\devel\pidgin-devel\build\pidgin.exe caused an Access Violation at
location 77c47740 in module C:\WINDOWS\system32\msvcrt.dll Reading
from location 00000000.

Registers:
eax=00000000 ebx=06d3dc28 ecx=0022ea2c edx=00000000 esi=071642bc
edi=0022eb2c
eip=77c47740 esp=0022e9d4 ebp=0022eb2c iopl=0         nv up ei pl zr na
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00210246

Call stack:
         C:\WINDOWS\system32\msvcrt.dll [7.0.2600.2180]
77C47740 C:\WINDOWS\system32\msvcrt.dll  strcmp
         C:\devel\pidgin-devel\build\gssapi32.dll [1.6.3.16]
1C002BF1 C:\devel\pidgin-devel\build\gssapi32.dll  acquire_init_cred
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\acquire_cred.c:306
1C001FA5 C:\devel\pidgin-devel\build\gssapi32.dll
krb5_gss_acquire_cred
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\acquire_cred.c:560
1C001620 C:\devel\pidgin-devel\build\gssapi32.dll  kg_get_defcred
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\gssapi_krb5.c:148
1C00466C C:\devel\pidgin-devel\build\gssapi32.dll
krb5_gss_init_sec_context
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\init_sec_context.c:882
1C00A4CF C:\devel\pidgin-devel\build\gssapi32.dll
k5glue_init_sec_context
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\krb5_gss_glue.c:680
1C00D83C C:\devel\pidgin-devel\build\gssapi32.dll
gss_init_sec_context
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\mechglue\g_init_sec_context.c:225
         C:\devel\pidgin-devel\build\sasl2\saslGSSAPI.dll [2.1.22.0]
01AD295A C:\devel\pidgin-devel\build\sasl2\saslGSSAPI.dll

Download (untitled) 2.4k
      Fri Jun 20 16:43:43 2008  jaltman - Status changed from new to open    
      Fri Jun 20 16:43:43 2008  jaltman - Given to jaltman    
      Fri Jun 20 16:43:44 2008  jaltman - Correspondence added    
      
I do not see an obvious location in the gss code or leash code in which
the output of krb5_cc_default_name() is used when NULL.

If you create a debug build so that the optimization is turned off you
might get a back stack state.

Download (untitled) 229b
      Mon Jul 21 10:51:48 2008  daniel.atallah@gmail.com - Correspondence added    
      
Date: Sun, 20 Jul 2008 17:09:39 -0400
From: "Daniel Atallah" <daniel.atallah@gmail.com>
To: krb5-bugs@mit.edu
Subject: [krbdev.mit.edu #5980] krb5_cc_default_name() can return NULL, but is passed directly to strcmp() (causing crash)
RT-Send-Cc: 

Sorry for taking so long to reply - for some reason, I didn't receive
a notification that there had been a reply.

I've been unable to get a decent stack trace unfortunately, but
grepping through the source, I can see some possible culprits:

src\athena\auth\krb5\src\lib\krb5\ccache\ccdefault.c:85
src\athena\auth\krb5\src\lib\krb5\ccache\ccdefault.c:105
src\athena\auth\krb5\src\lib\krb5\ccache\ccdefault.c:55

Hopefully this makes it to RT successfully.

Download (untitled) 457b
      Mon Jul 21 13:40:58 2008  jaltman - Queue changed from kfw to krb5    
      Mon Jul 21 13:41:22 2008  jaltman - Component krb5-libs added    
      Mon Jul 21 13:41:22 2008  jaltman - Version_reported 1.6.3 added    
      Mon Jul 21 13:51:42 2008  jaltman - Status changed from open to review    
      Mon Jul 21 13:51:43 2008  jaltman - Correspondence added    
      
From: jaltman@mit.edu
Subject: SVN Commit


ccdefault.c:
krb5_cc_default_name() is permitted to return a NULL
pointer as a valid output.  Passing a NULL pointer to
strcmp() will result in an exception as NULL is not
a valid input parameter to strcmp().

Save the output of krb5_cc_default_name() to a variable
and modify the conditional to set the new default ccache
name in the case where there is no existing default
ccache name.


Commit By: jaltman



Revision: 20551
Changed Files:
U   trunk/src/lib/krb5/ccache/ccdefault.c

Download (untitled) 528b
      Mon Jul 21 13:52:07 2008  jaltman - Tags pullup added    
      Mon Jul 21 16:59:34 2008  raeburn - Correspondence added    
      
From: raeburn@mit.edu
Subject: SVN Commit


Another check for null return from krb5_cc_default_name.
Commit By: raeburn



Revision: 20561
Changed Files:
U   trunk/src/lib/krb5/ccache/ccdefault.c

Download (untitled) 153b
      Mon Jul 21 18:59:32 2008  tlyu - Correspondence added    
      
From: tlyu@mit.edu
Subject: SVN Commit


pull up r20551 from trunk

 r20551@cathode-dark-space:  jaltman | 2008-07-21 13:44:43 -0400
 ticket: 5080
 tags: pullup

 ccdefault.c:
 krb5_cc_default_name() is permitted to return a NULL
 pointer as a valid output.  Passing a NULL pointer to
 strcmp() will result in an exception as NULL is not
 a valid input parameter to strcmp().

 Save the output of krb5_cc_default_name() to a variable
 and modify the conditional to set the new default ccache
 name in the case where there is no existing default
 ccache name.




Commit By: tlyu



Revision: 20564
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/lib/krb5/ccache/ccdefault.c

Download (untitled) 655b
      Mon Jul 21 18:59:44 2008  tlyu - Status changed from review to resolved    
      Mon Jul 21 18:59:45 2008  tlyu - Version_Fixed 1.6.4 added    
      Mon Jul 21 18:59:45 2008  tlyu - Correspondence added    
      
From: tlyu@mit.edu
Subject: SVN Commit


pull up r20561 from trunk
(includes unrelated cleanup of dead assignment)

 r20561@cathode-dark-space:  raeburn | 2008-07-21 16:59:24 -0400
 ticket: 5980

 Another check for null return from krb5_cc_default_name.


Commit By: tlyu



Revision: 20565
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/lib/krb5/ccache/ccdefault.c

Download (untitled) 344b