Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 10799 From dgranzow@gunzour.isbu.digex.net Tue Feb 23 11:34:02 1999 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id LAA09614 for ; Tue, 23 Feb 1999 11:34:01 -0500 Received: from gunzour.isbu.digex.net by MIT.EDU with SMTP id AA15158; Tue, 23 Feb 99 11:34:32 EST Received: from localhost (dgranzow@localhost) by gunzour.isbu.digex.net (8.9.1b+Sun/8.9.1) with ESMTP id LAA03099 for ; Tue, 23 Feb 1999 11:33:56 -0500 (EST) Message-Id: Date: Tue, 23 Feb 1999 11:33:56 -0500 (EST) From: Doug Granzow To: krb5-bugs@MIT.EDU Subject: kadmind problem >Number: 694 >Category: krb5-admin >Synopsis: kadmind can be crashed by client >Confidential: no >Severity: serious >Priority: high >Responsible: tlyu >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Tue Feb 23 11:35:00 EST 1999 >Last-Modified: Tue Sep 18 17:36:06 EDT 2001 >Originator: Super-User >Organization: DIGEX, Inc. >Release: krb5-1.0.5 >Environment: System: SunOS krb5-slave.digex.net.belt 5.6 Generic_105181-11 sun4u sparc SUNW,Ultra-1 Architecture: sun4 >Description: An authenticated kadmin user can cause the kadmind server to exit by typing control-c immediately after typing "listprincs". >How-To-Repeat: On any system, run kadmin. Once authenticated, enter the "listprincs" command, then *immediately* type control-c before any response is returned. The kadmind process on the kdc exits with nothing logged to the log file. A core file is created in the root directory (/). >Fix: Not known >Audit-Trail: Responsible-Changed-From-To: gnats-admin->tlyu Responsible-Changed-By: tlyu Responsible-Changed-When: Mon Mar 1 21:31:11 1999 Responsible-Changed-Why: refiled State-Changed-From-To: open-feedback State-Changed-By: tlyu State-Changed-When: Mon Mar 1 21:31:46 1999 State-Changed-Why: probable patch generated and queued for 1.0.6 From: Tom Yu To: dgranzow@gunzour.isbu.digex.net Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-admin/694: kadmind can be crashed by client Date: Mon, 1 Mar 1999 21:34:07 -0500 (EST) Thanks for the report. Please try applying this patch and seeing if you can still reproduce the problem. Also, it would be nice if you could get a stack trace of the coredump, to ascertain whether it is this particular problem or whether it is the SIGPIPE problem, which I'm not certain whether or not we've fixed in 1.0.5. Thanks. ---Tom Index: ovsec_kadmd.c =================================================================== RCS file: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v retrieving revision 1.58.2.1 retrieving revision 1.58.2.2 diff -u -r1.58.2.1 -r1.58.2.2 --- ovsec_kadmd.c 1996/11/19 22:09:47 1.58.2.1 +++ ovsec_kadmd.c 1999/03/02 02:28:31 1.58.2.2 @@ -1,11 +1,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.1 1996/11/19 22:09:47 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.2 1999/03/02 02:28:31 tlyu Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.1 1996/11/19 22:09:47 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.2 1999/03/02 02:28:31 tlyu Exp $"; #endif #include @@ -635,33 +635,58 @@ struct svc_req *rqst, struct rpc_msg *msg, char *data) { - static const char *const proc_names[] = { - "kadm5_create_principal", - "kadm5_delete_principal", - "kadm5_modify_principal", - "kadm5_rename_principal", - "kadm5_get_principal", - "kadm5_chpass_principal", - "kadm5_randkey_principal", - "kadm5_create_policy", - "kadm5_delete_policy", - "kadm5_modify_policy", - "kadm5_get_policy", - "kadm5_get_privs", + struct procnames { + rpc_u_int32 proc; + const char *proc_name; }; + static const struct procnames proc_names[] = { + {1, "CREATE_PRINCIPAL"}, + {2, "DELETE_PRINCIPAL"}, + {3, "MODIFY_PRINCIPAL"}, + {4, "RENAME_PRINCIPAL"}, + {5, "GET_PRINCIPAL"}, + {6, "CHPASS_PRINCIPAL"}, + {7, "CHRAND_PRINCIPAL"}, + {8, "CREATE_POLICY"}, + {9, "DELETE_POLICY"}, + {10, "MODIFY_POLICY"}, + {11, "GET_POLICY"}, + {12, "GET_PRIVS"}, + {13, "INIT"}, + {14, "GET_PRINCS"}, + {15, "GET_POLS"}, + }; +#define NPROCNAMES (sizeof (proc_names) / sizeof (struct procnames)) OM_uint32 minor; gss_buffer_desc client, server; gss_OID gss_type; char *a; + rpc_u_int32 proc; + int i; + const char *procname; (void) gss_display_name(&minor, client_name, &client, &gss_type); (void) gss_display_name(&minor, server_name, &server, &gss_type); a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " - "claimed client = %s, server = %s, addr = %s", - proc_names[msg->rm_call.cb_proc], client.value, - server.value, a); + proc = msg->rm_call.cb_proc; + procname = NULL; + for (i = 0; i < NPROCNAMES; i++) { + if (proc_names[i].proc == proc) { + procname = proc_names[i].proc_name; + break; + } + } + if (procname != NULL) + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " + "claimed client = %s, server = %s, addr = %s", + procname, client.value, + server.value, a); + else + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " + "claimed client = %s, server = %s, addr = %s", + proc, client.value, + server.value, a); (void) gss_release_buffer(&minor, &client); (void) gss_release_buffer(&minor, &server); From: Doug Granzow To: Tom Yu Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-admin/694: kadmind can be crashed by client Date: Wed, 3 Mar 1999 10:23:26 -0500 (EST) Yes, this works! :) I tried the SIGPIPE patch I was given earlier and that didn't seem to fix it. But after applying this patch and compiling it, I can't crash kadmind anymore. Thanks very much for your help. Let me know if you want any more debugging info from me... Doug On Mon, 1 Mar 1999, Tom Yu wrote: > Thanks for the report. Please try applying this patch and seeing if > you can still reproduce the problem. Also, it would be nice if you > could get a stack trace of the coredump, to ascertain whether it is > this particular problem or whether it is the SIGPIPE problem, which > I'm not certain whether or not we've fixed in 1.0.5. Thanks. > > ---Tom > > Index: ovsec_kadmd.c > =================================================================== > RCS file: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v > retrieving revision 1.58.2.1 > retrieving revision 1.58.2.2 > diff -u -r1.58.2.1 -r1.58.2.2 > --- ovsec_kadmd.c 1996/11/19 22:09:47 1.58.2.1 > +++ ovsec_kadmd.c 1999/03/02 02:28:31 1.58.2.2 > @@ -1,11 +1,11 @@ > /* > * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved > * > - * $Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.1 1996/11/19 22:09:47 bjaspan Exp $ > + * $Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.2 1999/03/02 02:28:31 tlyu Exp $ > */ > > #if !defined(lint) && !defined(__CODECENTER__) > -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.1 1996/11/19 22:09:47 bjaspan Exp $"; > +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.2 1999/03/02 02:28:31 tlyu Exp $"; > #endif > > #include > @@ -635,33 +635,58 @@ > struct svc_req *rqst, struct rpc_msg *msg, char > *data) > { > - static const char *const proc_names[] = { > - "kadm5_create_principal", > - "kadm5_delete_principal", > - "kadm5_modify_principal", > - "kadm5_rename_principal", > - "kadm5_get_principal", > - "kadm5_chpass_principal", > - "kadm5_randkey_principal", > - "kadm5_create_policy", > - "kadm5_delete_policy", > - "kadm5_modify_policy", > - "kadm5_get_policy", > - "kadm5_get_privs", > + struct procnames { > + rpc_u_int32 proc; > + const char *proc_name; > }; > + static const struct procnames proc_names[] = { > + {1, "CREATE_PRINCIPAL"}, > + {2, "DELETE_PRINCIPAL"}, > + {3, "MODIFY_PRINCIPAL"}, > + {4, "RENAME_PRINCIPAL"}, > + {5, "GET_PRINCIPAL"}, > + {6, "CHPASS_PRINCIPAL"}, > + {7, "CHRAND_PRINCIPAL"}, > + {8, "CREATE_POLICY"}, > + {9, "DELETE_POLICY"}, > + {10, "MODIFY_POLICY"}, > + {11, "GET_POLICY"}, > + {12, "GET_PRIVS"}, > + {13, "INIT"}, > + {14, "GET_PRINCS"}, > + {15, "GET_POLS"}, > + }; > +#define NPROCNAMES (sizeof (proc_names) / sizeof (struct procnames)) > OM_uint32 minor; > gss_buffer_desc client, server; > gss_OID gss_type; > char *a; > + rpc_u_int32 proc; > + int i; > + const char *procname; > > (void) gss_display_name(&minor, client_name, &client, &gss_type); > (void) gss_display_name(&minor, server_name, &server, &gss_type); > a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); > > - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " > - "claimed client = %s, server = %s, addr = %s", > - proc_names[msg->rm_call.cb_proc], client.value, > - server.value, a); > + proc = msg->rm_call.cb_proc; > + procname = NULL; > + for (i = 0; i < NPROCNAMES; i++) { > + if (proc_names[i].proc == proc) { > + procname = proc_names[i].proc_name; > + break; > + } > + } > + if (procname != NULL) > + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " > + "claimed client = %s, server = %s, addr = %s", > + procname, client.value, > + server.value, a); > + else > + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " > + "claimed client = %s, server = %s, addr = %s", > + proc, client.value, > + server.value, a); > > (void) gss_release_buffer(&minor, &client); > (void) gss_release_buffer(&minor, &server); > State-Changed-From-To: feedback-closed State-Changed-By: tlyu State-Changed-When: Tue Sep 18 17:35:32 2001 State-Changed-Why: Fixed long ago. >Unformatted: