Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 3343 From buhr@mozart.stat.wisc.edu Wed Aug 6 13:29:41 1997 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA26976 for ; Wed, 6 Aug 1997 13:29:36 -0400 Received: from mozart.stat.wisc.edu by MIT.EDU with SMTP id AA24317; Wed, 6 Aug 97 13:29:34 EDT Received: by mozart.stat.wisc.edu id m0ww9tq-0000YvC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 6 Aug 1997 12:29:30 -0500 (CDT) Message-Id: Date: 06 Aug 1997 12:29:30 -0500 From: buhr@stat.wisc.edu (Kevin Buhr) To: krb5-bugs@MIT.EDU Subject: NULL pointer dereference in "krb5_rd_cred_basic" >Number: 456 >Category: krb5-libs >Synopsis: NULL pointer dereference in "krb5_rd_cred_basic" >Confidential: no >Severity: non-critical >Priority: medium >Responsible: tlyu >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Wed Aug 06 13:30:01 EDT 1997 >Last-Modified: Fri Aug 08 18:05:15 EDT 1997 >Originator: Kevin Buhr >Organization: University of Wisconsin---Madison >Release: 1.0pl1 >Environment: System: Linux mozart 2.1.47 #18 Tue Aug 5 13:07:37 CDT 1997 i486 unknown Architecture: i486 >Description: There is a potential NULL pointer dereference in "krb5_rd_cred_basic" that is tickled by Beta 4 "rsh" and "rlogin" clients. The relevant snippet of code starts at line 108 of "src/lib/krb5/krb/rd_cred.c": if (pkeyblock != NULL) { if (!krb5_address_compare(context, remote_addr, encpart.s_address)) { retval = KRB5KRB_AP_ERR_BADADDR; goto cleanup_cred; } } No guarantee is made that the "encpart.s_address" is non-NULL before this call to "krb5_address_compare". When a Beta 4 "rsh" client is used to connect to a 1.0pl1 "kshd" server with credentials forwarding, it creates a credentials structure with NULL "sender_addr" and "recv_addr" fields. As a result, the 1.0pl1 server crashes when it passes the NULL encpart.s_address to "krb5_address_compare". The visible symptoms are that the client aborts with: kcmd: bad connection with remote host and retries using non-Kerberos "rsh". >How-To-Repeat: Connect to a 1.0pl1 server with a Beta 4 "rsh" client using: rsh -F newish-server echo test >Fix: I'm using the following, obvious, patch, but am completely clueless with regards to the security implications: diff -u -r1.1 src/lib/krb5/krb/rd_cred.c --- src/lib/krb5/krb/rd_cred.c 1997/08/06 00:00:25 1.1 +++ src/lib/krb5/krb/rd_cred.c 1997/08/06 00:00:31 @@ -105,7 +105,7 @@ * protected by encryption. If it came in the checksum field of * an init_sec_context message, skip over this check. */ - if (pkeyblock != NULL) { + if (remote_addr && encpart.s_address && pkeyblock != NULL) { if (!krb5_address_compare(context, remote_addr, encpart.s_address)) { retval = KRB5KRB_AP_ERR_BADADDR; goto cleanup_cred; >Audit-Trail: Responsible-Changed-From-To: krb5-unassigned->tlyu Responsible-Changed-By: tlyu Responsible-Changed-When: Fri Aug 8 18:04:45 1997 Responsible-Changed-Why: mine State-Changed-From-To: open-closed State-Changed-By: tlyu State-Changed-When: Fri Aug 8 18:04:52 1997 State-Changed-Why: Fixed. lib/krb5/krb/rd_cred.c 5.31 >Unformatted: