From ratliff@austin.ibm.com Tue Oct 2 13:01:37 2001
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id NAA02861
for <bugs@RT-11.mit.edu>; Tue, 2 Oct 2001 13:01:37 -0400 (EDT)
Received: from mg02.austin.ibm.com (mg02.austin.ibm.com [192.35.232.12])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id NAA00740
for <krb5-bugs@mit.edu>; Tue, 2 Oct 2001 13:01:37 -0400 (EDT)
Received: from austin.ibm.com (netmail2.austin.ibm.com [9.3.7.139])
by mg02.austin.ibm.com (AIX4.3/8.9.3/8.9.3) with ESMTP id MAA23364
for <krb5-bugs@mit.edu>; Tue, 2 Oct 2001 12:08:40 -0500
Received: from spiff.austin.ibm.com (spiff.austin.ibm.com [9.53.216.123])
by austin.ibm.com (AIX4.3/8.9.3/8.9.3) with ESMTP id MAA24524
for <krb5-bugs@mit.edu>; Tue, 2 Oct 2001 12:01:35 -0500
Received: by spiff.austin.ibm.com (Postfix, from userid 501)
id C00B682C06; Tue, 2 Oct 2001 12:01:38 -0500 (CDT)
Message-Id: <20011002170138.C00B682C06@spiff.austin.ibm.com>
Date: Tue, 2 Oct 2001 12:01:38 -0500 (CDT)
From: ratliff@austin.ibm.com
Reply-To: ratliff@austin.ibm.com
To: krb5-bugs@mit.edu, ratliff@austin.ibm.com
Subject: Patch for kadmin hang
X-Send-Pr-Version: 3.99
System: Linux spiff.austin.ibm.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown
Architecture: i686
invalid principal. A couple of examples of principals that will
cause the hang:
mike\\@
@mike/admin@REALM
If the @ is escaped or is the first symbol of a principal, the
else branch of the principal parsing code in kadmin.c is executed.
The else branch does a strchr(cp, '@') but since the first character
of cp is an @, the original value is returned and cp is not updated.
This makes the while loop endlessly causing the hang. It is fairly
harmless because you can ^C out of it and return to the kadmin
prompt, but getting the error message would be nicer.
I originally sent this to the krbdev mailing list, but it really
belongs here. I apologize for the mistake.
kadmin: addprinc mi\@ke/admin@REALM
<hang>
diff -ur src.old/kadmin/cli/kadmin.c src/kadmin/cli/kadmin.c
--- src.old/kadmin/cli/kadmin.c Thu Sep 13 15:38:48 2001
+++ src/kadmin/cli/kadmin.c Fri Sep 21 14:30:52 2001
@@ -158,7 +158,7 @@
if (cp - fullname && *(cp - 1) != '\\')
break;
else
- cp = strchr(cp, '@');
+ cp = strchr((cp + 1), '@');
}
if (cp == NULL) {
strcat(fullname, "@");
Responsible-Changed-From-To: krb5-unassigned->raeburn
Responsible-Changed-By: raeburn
Responsible-Changed-When: Wed Oct 10 00:01:08 2001
Responsible-Changed-Why:
I'll take this one too..
State-Changed-From-To: open-feedback
State-Changed-By: raeburn
State-Changed-When: Wed Oct 10 00:06:30 2001
State-Changed-Why:
Thanks. This will be in 1.3 also.
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id NAA02861
for <bugs@RT-11.mit.edu>; Tue, 2 Oct 2001 13:01:37 -0400 (EDT)
Received: from mg02.austin.ibm.com (mg02.austin.ibm.com [192.35.232.12])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id NAA00740
for <krb5-bugs@mit.edu>; Tue, 2 Oct 2001 13:01:37 -0400 (EDT)
Received: from austin.ibm.com (netmail2.austin.ibm.com [9.3.7.139])
by mg02.austin.ibm.com (AIX4.3/8.9.3/8.9.3) with ESMTP id MAA23364
for <krb5-bugs@mit.edu>; Tue, 2 Oct 2001 12:08:40 -0500
Received: from spiff.austin.ibm.com (spiff.austin.ibm.com [9.53.216.123])
by austin.ibm.com (AIX4.3/8.9.3/8.9.3) with ESMTP id MAA24524
for <krb5-bugs@mit.edu>; Tue, 2 Oct 2001 12:01:35 -0500
Received: by spiff.austin.ibm.com (Postfix, from userid 501)
id C00B682C06; Tue, 2 Oct 2001 12:01:38 -0500 (CDT)
Message-Id: <20011002170138.C00B682C06@spiff.austin.ibm.com>
Date: Tue, 2 Oct 2001 12:01:38 -0500 (CDT)
From: ratliff@austin.ibm.com
Reply-To: ratliff@austin.ibm.com
To: krb5-bugs@mit.edu, ratliff@austin.ibm.com
Subject: Patch for kadmin hang
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 1001
>Category: krb5-admin
>Synopsis: kadmin hangs on erroneous input rather than giving error msg
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: raeburn
>State: feedback
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 2 13:02:00 EDT 2001
>Last-Modified: Wed Oct 10 00:06:36 EDT 2001
>Originator: Emily Ratliff
>Organization:
IBM Linux Technology Center, Security>Category: krb5-admin
>Synopsis: kadmin hangs on erroneous input rather than giving error msg
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: raeburn
>State: feedback
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 2 13:02:00 EDT 2001
>Last-Modified: Wed Oct 10 00:06:36 EDT 2001
>Originator: Emily Ratliff
>Organization:
Show quoted text
>Release: krb5-1.2.2
>Environment:
>Environment:
System: Linux spiff.austin.ibm.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown
Architecture: i686
Show quoted text
>Description:
kadmin hangs when presented with bad input in the form of aninvalid principal. A couple of examples of principals that will
cause the hang:
mike\\@
@mike/admin@REALM
If the @ is escaped or is the first symbol of a principal, the
else branch of the principal parsing code in kadmin.c is executed.
The else branch does a strchr(cp, '@') but since the first character
of cp is an @, the original value is returned and cp is not updated.
This makes the while loop endlessly causing the hang. It is fairly
harmless because you can ^C out of it and return to the kadmin
prompt, but getting the error message would be nicer.
I originally sent this to the krbdev mailing list, but it really
belongs here. I apologize for the mistake.
Show quoted text
>How-To-Repeat:
$ kadminkadmin: addprinc mi\@ke/admin@REALM
<hang>
Show quoted text
>Fix:
diff -ur src.old/kadmin/cli/kadmin.c src/kadmin/cli/kadmin.c
--- src.old/kadmin/cli/kadmin.c Thu Sep 13 15:38:48 2001
+++ src/kadmin/cli/kadmin.c Fri Sep 21 14:30:52 2001
@@ -158,7 +158,7 @@
if (cp - fullname && *(cp - 1) != '\\')
break;
else
- cp = strchr(cp, '@');
+ cp = strchr((cp + 1), '@');
}
if (cp == NULL) {
strcat(fullname, "@");
Show quoted text
>Audit-Trail:
Responsible-Changed-From-To: krb5-unassigned->raeburn
Responsible-Changed-By: raeburn
Responsible-Changed-When: Wed Oct 10 00:01:08 2001
Responsible-Changed-Why:
I'll take this one too..
State-Changed-From-To: open-feedback
State-Changed-By: raeburn
State-Changed-When: Wed Oct 10 00:06:30 2001
State-Changed-Why:
Thanks. This will be in 1.3 also.
Show quoted text
>Unformatted: