From kdrenard@ARL.MIL Fri Jan 31 14:43:09 1997 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA27497 for ; Fri, 31 Jan 1997 14:43:09 -0500 Received: from smokey.arl.mil by MIT.EDU with SMTP id AA10084; Fri, 31 Jan 97 14:43:06 EST Message-Id: <9701311442.aa02426@SMOKEY.ARL.MIL> Date: Fri, 31 Jan 97 14:42:57 EST From: "Kenneth D. Renard" (CICC/HPCD) To: krb5-bugs@MIT.EDU Cc: kdrenard@ARL.MIL Subject: Bug Report >Number: 361 >Category: krb5-kdc >Synopsis: KDC crashes on incompatible kvno/keytypes >Confidential: no >Severity: serious >Priority: high >Responsible: tlyu >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Fri Jan 31 14:44:01 EST 1997 >Last-Modified: Fri May 30 15:56:37 EDT 1997 >Originator: Kenneth D. Renard >Organization: Army Research Lab >Release: 1.0 (plus, b6, and probably b7) >Environment: System: SunOS murdock.arl.mil 5.5.1 Generic_103640-03 sun4u sparc SUNW,Ultra-1 Architecture: sun4 >Description: In lib/kdb/keytab.c, return value from krb5_dbe_find_enctype() is not checked. If an error occurs and key_data is not returned correctly, next call to krb5_dbekd_decrypt_key_data() chokes on invalid pointer and crashes KDC. >How-To-Repeat: (Error observed on Beta6 KDC, but code is the same in v1.0.) A cross-realm principal was created in both realms: REALM1: krbtgt/REALM2@REALM1 kvno = 1 REALM2: krbtgt/REALM2@REALM1 kvno = 2 A cross-realm authentication attempt was made from REALM1 to REALM2. REALM2 looked up krbtgt/REALM2@REALM1 in krb5_ktkdb_get_entry() (keytab.c line 117). The call to krb5_dbe_find_enctype() (keytab.c line 130) was unsuccessful in matching kvnos and returned ENOENT without filling in the krb5_key_data pointer. krb5_ktkdb_get_entry() ingored this error code and the following call to krb5_dbekd_decrypt_key_data() choked when passed a bogus krb5_key_data pointer and dumped core. >Fix: Check return value of krb5_dbe_find_enctype() call =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- RCS file: RCS/keytab.c,v retrieving revision 1.1 retrieving revision 1.2 diff -c -r1.1 -r1.2 *** /tmp/T0a02311 Fri Jan 31 14:38:57 1997 --- /tmp/T1a02311 Fri Jan 31 14:38:57 1997 *************** *** 127,133 **** } /* match key */ krb5_dbm_db_get_mkey(context, id->ops, &master_key); ! krb5_dbe_find_enctype(context, &db_entry, enctype, -1, kvno, &key_data); if (kerror = krb5_dbekd_decrypt_key_data(context, master_key, key_data, &entry->key, NULL)) --- 127,135 ---- } /* match key */ krb5_dbm_db_get_mkey(context, id->ops, &master_key); ! if (kerror = krb5_dbe_find_enctype(context, &db_entry, enctype, -1, kvno, ! &key_data)) ! goto error; if (kerror = krb5_dbekd_decrypt_key_data(context, master_key, key_data, &entry->key, NULL)) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: tlyu State-Changed-When: Sun Mar 16 02:29:05 1997 State-Changed-Why: This patch looks ok... I'll see about applying it soon. State-Changed-From-To: analyzed-feedback State-Changed-By: tlyu State-Changed-When: Sun Mar 16 21:23:07 1997 State-Changed-Why: Patch committed, with some changes. This should go into 1.0p1. lib/kdb/keytab.c 5.7 Responsible-Changed-From-To: krb5-unassigned->tlyu Responsible-Changed-By: tlyu Responsible-Changed-When: Mon Mar 17 13:07:29 1997 Responsible-Changed-Why: should have changed to me... State-Changed-From-To: feedback-closed State-Changed-By: tlyu State-Changed-When: Fri May 30 15:56:21 1997 State-Changed-Why: 1.0pl1 has been released >Unformatted: X-send-pr-version: 3.99