From krb5-bugs-incoming-bounces@PCH.MIT.EDU Tue Apr 24 12:15:44 2007 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id l3OGFiL8014754; Tue, 24 Apr 2007 12:15:44 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l3OGFdik011398; Tue, 24 Apr 2007 12:15:39 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l3OG9riI008757 for ; Tue, 24 Apr 2007 12:09:53 -0400 Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id l3OG9oCe003045 for ; Tue, 24 Apr 2007 12:09:50 -0400 (EDT) Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by mit.edu (Spam Firewall) with ESMTP id 8EA9F23F8A3 for ; Tue, 24 Apr 2007 12:09:49 -0400 (EDT) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l3OG9mfG026477 for ; Tue, 24 Apr 2007 12:09:48 -0400 Received: from rapier.boston.redhat.com (rapier.boston.redhat.com [172.16.80.53]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l3OG9mXG032701 for ; Tue, 24 Apr 2007 12:09:48 -0400 Received: from rapier.boston.redhat.com (localhost.localdomain [127.0.0.1]) by rapier.boston.redhat.com (8.14.1/8.14.0) with ESMTP id l3OG9lqZ004011 for ; Tue, 24 Apr 2007 12:09:47 -0400 Received: (from nalin@localhost) by rapier.boston.redhat.com (8.14.1/8.14.1/Submit) id l3OG9lVm004010; Tue, 24 Apr 2007 12:09:47 -0400 Date: Tue, 24 Apr 2007 12:09:47 -0400 Message-Id: <200704241609.l3OG9lVm004010@rapier.boston.redhat.com> To: krb5-bugs@mit.edu From: Nalin Dahyabhai X-send-pr-version: 3.99 X-Spam-Score: 0.95 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-Mailman-Approved-At: Tue, 24 Apr 2007 12:12:38 -0400 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: Nalin Dahyabhai Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU >Submitter-Id: net >Originator: >Organization: >Confidential: no >Synopsis: uninitialized salt length when reading some keys >Severity: non-critical >Priority: medium >Category: krb5-kdc >Class: sw-bug >Release: 1.6 >Environment: System: Linux rapier.boston.redhat.com 2.6.20-1.3079.fc7 #1 SMP Mon Apr 16 20:05:15 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux Architecture: x86_64 >Description: When reading a key from the realm database, the ldap plugin doesn't initialize the length of the salt when there is a salt but none was stored. This causes a potential crash any time the corresponding key is copied. >How-To-Repeat: Create an entry in the database with a salt type but no explictly- stored salt. Attempt to read it back using the "getprinc" command using kadmin.local. >Fix: This patch: Index: src/lib/krb5/asn.1/ldap_key_seq.c =================================================================== --- src/lib/krb5/asn.1/ldap_key_seq.c (revision 19525) +++ src/lib/krb5/asn.1/ldap_key_seq.c (working copy) @@ -341,7 +341,8 @@ if (asn1buf_remains(&slt, 0) != 0) { /* Salt value is optional */ ret = decode_tagged_octetstring (&slt, 1, &keylen, &key->key_data_contents[1]); checkerr; - } + } else + keylen = 0; safe_syncbuf (&subbuf, &slt); key->key_data_length[1] = keylen; /* XXX range check?? */