From krb5-bugs-incoming-bounces@PCH.mit.edu Fri Mar 12 17:09:51 2010 Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 6F5423F0EA; Fri, 12 Mar 2010 17:09:51 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CM9pvo013889; Fri, 12 Mar 2010 17:09:51 -0500 Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CK6PZa027250 for ; Fri, 12 Mar 2010 15:06:25 -0500 Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU [18.7.68.37]) by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id o2CK5ubG002176 for ; Fri, 12 Mar 2010 15:06:25 -0500 X-AuditID: 12074425-b7d00ae000002295-a4-4b9a9ec07b72 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dmz-mailsec-scanner-8.mit.edu (Symantec Brightmail Gateway) with SMTP id 62.03.08853.1CE9A9B4; Fri, 12 Mar 2010 15:06:25 -0500 (EST) Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2CK6OnX015470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 12 Mar 2010 15:06:24 -0500 Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o2CK6NEF027566 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 12 Mar 2010 15:06:23 -0500 Received: from blade.bos.redhat.com (localhost [127.0.0.1]) by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o2CK6M6f022913 for ; Fri, 12 Mar 2010 15:06:22 -0500 Received: (from nalin@localhost) by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o2CK6M6N022912; Fri, 12 Mar 2010 15:06:22 -0500 Date: Fri, 12 Mar 2010 15:06:22 -0500 Message-Id: <201003122006.o2CK6M6N022912@blade.bos.redhat.com> To: krb5-bugs@mit.edu Subject: krb5_get_init_creds_password() can crash with NULL options and expired keys From: nalin@redhat.com X-send-pr-version: 3.99 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 X-Brightmail-Tracker: AAAAAhM9I9YTPgcy X-Mailman-Approved-At: Fri, 12 Mar 2010 17:09:50 -0500 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: nalin@redhat.com Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu >Submitter-Id: net >Originator: Nalin Dahyabhai >Organization: >Confidential: no >Synopsis: krb5_get_init_creds_password() can crash with NULL options and expired keys >Severity: non-critical >Priority: medium >Category: krb5-libs >Class: sw-bug >Release: 1.8 >Environment: System: Linux blade.bos.redhat.com 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux Architecture: x86_64 >Description: Bert Barbé noted, on kerberos@, that krb5_get_init_creds_password(), if it was dealing with an expired key, could try to dereference its "options" argument to read flags before checking that "options" wasn't NULL. >Fix: This patch creates an krb5_gic_opt_ext structure using the passed-in options value, which ensures that when we go to check the flags, we get the library defaults if we were passed NULL. Index: src/lib/krb5/krb/gic_pwd.c =================================================================== --- src/lib/krb5/krb/gic_pwd.c (revision 23799) +++ src/lib/krb5/krb/gic_pwd.c (working copy) @@ -123,6 +123,7 @@ int tries; krb5_creds chpw_creds; krb5_get_init_creds_opt *chpw_opts = NULL; + krb5_gic_opt_ext *opte = NULL; krb5_data pw0, pw1; char banner[1024], pw0array[1024], pw1array[1024]; krb5_prompt prompt[2]; @@ -218,7 +219,8 @@ * to prompt. Prompting is only disabled if the option has been set * and the value has been set to false. */ - if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL); + if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) goto cleanup; /* ok, we have an expired password. Give the user a few chances @@ -332,6 +334,8 @@ &use_master, &as_reply); cleanup: + if (opte != options) + krb5_get_init_creds_opt_free(context, opte); krb5int_set_prompt_types(context, 0); /* if getting the password was successful, then check to see if the password is about to expire, and warn if so */