Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 4461 From djm@web.us.uu.net Fri Apr 14 12:32:47 2000 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03215 for ; Fri, 14 Apr 2000 12:32:46 -0400 (EDT) Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP id AA04731; Fri, 14 Apr 00 12:32:41 EDT Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP (peer crosschecked as: dagger.web.us.uu.net [208.211.134.28]) id MAA11593; Fri, 14 Apr 2000 12:32:44 -0400 (EDT) Received: by dagger.web.us.uu.net id MAA28553; Fri, 14 Apr 2000 12:32:21 -0400 Message-Id: Date: Fri, 14 Apr 2000 12:32:21 -0400 From: djm@web.us.uu.net (David J. MacKenzie) Reply-To: djm@web.us.uu.net To: krb5-bugs@MIT.EDU Cc: djm@web.us.uu.net Subject: overly restrictive buffer in interfaces list X-Send-Pr-Version: 3.99 >Number: 840 >Category: krb5-libs >Synopsis: fixed-size buffer breaks with >25 IP addresses >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Fri Apr 14 12:33:01 EDT 2000 >Last-Modified: Fri Apr 21 09:03:00 EDT 2000 >Originator: David MacKenzie >Organization: UUNET Technologies >Release: krb5-1.1.1 >Environment: System: SunOS prod-303a.tco3.web.wcom.net 5.6 Generic_105181-05 sun4u sparc Architecture: sparc >Description: An arbitrary fixed-length buffer breaks Kerberos when the machine has >25 IP addresses configured on it, at least on Solaris 2.6. >How-To-Repeat: I believe the symptom was that Kerberos authentication failed on our hosts with >25 IP addresses configured, until this patch was installed. >Fix: This fix is from walrus@ans.net (Michael Shiplett), one of UUNET's security engineers. diff --exclude=*,v --exclude=CVS -ur /homes/elves/djm/src/krb5-1.1.1/src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c --- /homes/elves/djm/src/krb5-1.1.1/src/lib/krb5/os/localaddr.c Fri Dec 17 15:48:09 1999 +++ src/lib/krb5/os/localaddr.c Tue Mar 28 04:34:55 2000 @@ -115,22 +115,50 @@ struct ifreq *ifr, ifreq; struct ifconf ifc; int s, code, n, i; - char buf[1024]; - krb5_address *addr_temp [ 1024/sizeof(struct ifreq) ]; + int ifnum; + krb5_address **addr_temp; int n_found; int mem_err = 0; - memset(buf, 0, sizeof(buf)); - ifc.ifc_len = sizeof(buf); - ifc.ifc_buf = buf; - s = socket (USE_AF, USE_TYPE, USE_PROTO); if (s < 0) return SOCKET_ERRNO; +#ifdef SIOCGIFNUM + code = ioctl (s, SIOCGIFNUM, &ifnum); + if (code < 0) { + int retval = errno; + closesocket (s); + return retval; + } +#else + ifnum = 50; /* Twice the old value. */ +#endif + + addr_temp = malloc(ifnum * sizeof(addr_temp)); + if (addr_temp == NULL) + { + int retval = errno; + closesocket (s); + return retval; + } + + ifc.ifc_len = ifnum * sizeof(struct ifreq); + ifc.ifc_buf = malloc(ifc.ifc_len); + if (ifc.ifc_buf == NULL) + { + int retval = errno; + free(addr_temp); + closesocket (s); + return retval; + } + memset(ifc.ifc_buf, 0, ifc.ifc_len); + code = ioctl (s, SIOCGIFCONF, (char *)&ifc); if (code < 0) { int retval = errno; + free(ifc.ifc_buf); + free(addr_temp); closesocket (s); return retval; } @@ -232,6 +260,8 @@ krb5_xfree(addr_temp[i]); addr_temp[i] = 0; } + free(ifc.ifc_buf); + free(addr_temp); return ENOMEM; } @@ -239,6 +269,8 @@ (*addr)[i] = addr_temp[i]; } (*addr)[n_found] = 0; + free(ifc.ifc_buf); + free(addr_temp); return 0; } >Audit-Trail: From: Ken Raeburn To: djm@web.us.uu.net Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-libs/840: overly restrictive buffer in interfaces list Date: 21 Apr 2000 09:02:22 -0400 > An arbitrary fixed-length buffer breaks Kerberos when the > machine has >25 IP addresses configured on it, at least on > Solaris 2.6. Wow, someone else actually ran into that? For 1.2 we've got it set up to loop calling ioctl with bigger and bigger buffers until the kernel appears not to need any more (which so far we're determining only through heuristics). A beta should be out RSN; please let me know if it doesn't work for you. Ken >Unformatted: