Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id l66Nw0HW006164; Fri, 6 Jul 2007 19:58:00 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l66Nvt1K013701; Fri, 6 Jul 2007 19:57:55 -0400
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l66Nvsxe013698 for <krb5-bugs-incoming@PCH.mit.edu>; Fri, 6 Jul 2007 19:57:54 -0400
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id l66NvnL8018948; Fri, 6 Jul 2007 19:57:49 -0400 (EDT)
Received: from [18.18.1.160] (NOME-KING.MIT.EDU [18.18.1.160]) (authenticated bits=0) (User authenticated as raeburn@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id l66NrmW1028979 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 6 Jul 2007 19:53:50 -0400 (EDT)
MIME-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <64F440A7-46B3-45A7-879C-A64E0927CDA3@mit.edu>
Content-Transfer-Encoding: 7bit
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: Bug#428732: [krbdev.mit.edu #5593] kadmin crashes during password changes
Date: Fri, 6 Jul 2007 19:53:46 -0400
To: Russ Allbery <rra@debian.org>, Andrew.Reid@nist.gov
X-Mailer: Apple Mail (2.752.2)
X-Scanned-BY: MIMEDefang 2.42
X-Spam-Flag: NO
X-Spam-Score: 0.00
CC: krb5-bugs@MIT.EDU, 428732@bugs.debian.org
X-Beenthere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 1781

I just tried on our x86_64 etch system (1.4.4-7etch1 kadmind  
installed), and with a few simple tests, couldn't reproduce the  
problem.  I set up a realm FOOBAR.X with a user principal ken with  
admin privileges, ran "kadmin -p ken -q 'cpw ken'" and then "kpasswd"  
a few times, sometimes re-using the same password, sometimes trying  
different passwords (all short).

However, after a reminder from Tom Yu that we had some int/pointer  
problems fixed in that code a while back, I built -7etch1 (since  
-7etch2 doesn't seem to be on the servers I'm using?), worked out a  
rough function call stack from the stack trace in the Debian bug  
report, and found this once I knew where to look:

../../../src/kadmin/server/misc.c:148: warning: assignment makes  
pointer from integer without a cast

Line 148:                 time_string = ctime(&until);

A disassembly confirms that the compiler is widening the assumed int  
return value from ctime, from 32 to 64 bits, when in fact it's a 64- 
bit pointer.  I tried calling ctime under gdb, and it showed me a 32- 
bit value with the high bit set.  Whether that's the true value, or  
gdb was confused about the return type and truncated to 32 bits, I  
don't know.  But either way, that high bit in the low 32 is going to  
get copied into the upper 32 bits, probably not what we want.

This code path requires that the principal in question have a policy  
dictating a minimum time before the password can be changed, and a  
password change made before that time has elapsed.  (I should've  
thought of that given the description of changing passwords  
specifically in a short time.)  Andrew, does that describe your  
situation?  If so, changing src/kadmin/server/misc.c to include  
<time.h> could fix the problem.

Ken