Skip Menu |
 

Download (untitled) / with headers
text/plain 3.1KiB
From jhawk@MIT.EDU Mon Nov 12 23:06:04 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id XAA04451
for <bugs@RT-11.mit.edu>; Mon, 12 Nov 2001 23:06:04 -0500 (EST)
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA00771
for <bugs@RT-11.mit.edu>; Mon, 12 Nov 2001 23:06:03 -0500 (EST)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86])
by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA19491
for <krb5-bugs@mit.edu>; Mon, 12 Nov 2001 23:06:03 -0500 (EST)
Received: from PICKLED-HERRING.MIT.EDU (PICKLED-HERRING.MIT.EDU [18.187.1.250])
by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id XAA05498
for <krb5-bugs@mit.edu>; Mon, 12 Nov 2001 23:03:00 -0500 (EST)
Received: (from jhawk@localhost) by PICKLED-HERRING.MIT.EDU (8.9.3)
id XAA03787; Mon, 12 Nov 2001 23:03:00 -0500
Message-Id: <200111130403.XAA03787@PICKLED-HERRING.MIT.EDU>
Date: Mon, 12 Nov 2001 23:03:00 -0500
From: jhawk@MIT.EDU
Reply-To: jhawk@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: decrypt_credencdata() double-free()s on error.
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 1014
>Category: krb5-libs
>Synopsis: decrypt_credencdata() double-free()s on error.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Nov 12 23:07:00 EST 2001
>Last-Modified:
>Originator: John Hawkinson
>Organization:
MIT
Show quoted text
>Release: krb5-1.2
>Environment:

System: Linux PICKLED-HERRING.MIT.EDU 2.4.9-6 #1 Thu Oct 18 09:39:55 EDT 2001 i686 unknown
Architecture: i686

Show quoted text
>Description:
decrypt_credencdata() can double free() a pointer in the event
of an error. Herein:

38 /* now decode the decrypted stuff */
39 if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
40 goto cleanup_encpart;

however, decode_krb5_enc_cred_part() will free ppart in the event of
an error return:

45 cleanup_encpart:
46 memset(ppart, 0, sizeof(*ppart));
47 krb5_xfree(ppart);

Unfortunately, decode_krb5_enc_cred_part() has already freed it:

601 krb5_error_code decode_krb5_enc_cred_part(code, rep)
602 const krb5_data * code;
603 krb5_cred_enc_part ** rep;
...
606 alloc_field(*rep,krb5_cred_enc_part);
...
624 error_out:
625 if (rep && *rep) {
626 free_field(*rep,r_address);
627 free_field(*rep,s_address);
628 free(*rep);

(*rep is ppart here).

Show quoted text
>How-To-Repeat:
Have a krb5 exchange where the server and the client have
different ideas of what is encrypted and what is not, or
perhaps a case where you try to forward tickets in the context
of having failed authorization (i.e. failed kuserok), and
end up having decode_krb5_enc_cred_part() fail with
"ASN.1 identifier doesn't match expected value."
Show quoted text
>Fix:
One of them shouldn't be free()-ing this. You figure out which.
Show quoted text
>Audit-Trail:
>Unformatted:
To: krb5-bugs@mit.edu
Subject: rd_cred double frees memory
From: Joseph Galbraith <galb@vandyke.com>
Date: Mon, 18 Aug 2003 07:53:24 -0400
Download (untitled)
message/rfc822 3.2KiB
Return-Path: <krbdev-bounces@MIT.EDU>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Fri, 15 Aug
2003 21:17:41 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <krbdev-bounces@MIT.EDU>
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by suchdamage.org (Postfix) with ESMTP id 4FB7013203
for <hartmans@suchdamage.org>; Fri, 15 Aug 2003 21:17:41 -0400 (EDT)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
h7G1Gows026069;
Fri, 15 Aug 2003 21:16:50 -0400 (EDT)
Received: from pch.mit.edu ([127.0.0.1])
by pch.mit.edu (8.12.8p1/8.12.8) with ESMTP id h7G1Frk3015539;
Fri, 15 Aug 2003 21:15:54 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p1/8.12.8) with ESMTP id h7FLSik0014738
for <krbdev@PCH.mit.edu>; Fri, 15 Aug 2003 17:28:44 -0400 (EDT)
Received: from vandyke.com (mail.vandyke.com [204.134.9.1])
h7FLShYV011591
for <krbdev@mit.edu>; Fri, 15 Aug 2003 17:28:43 -0400 (EDT)
Received: from [127.0.0.1] (HELO vandyke.com)
by vandyke.com (CommuniGate Pro SMTP 3.4.7)
with ESMTP id 1814013 for krbdev@mit.edu; Fri, 15 Aug 2003 15:28:42 -0600
Message-ID: <3F3D508A.4000603@vandyke.com>
Date: Fri, 15 Aug 2003 15:28:42 -0600
From: Joseph Galbraith <galb@vandyke.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.4) Gecko/20030624
X-Accept-Language: en-us, en, ja
To: krbdev@mit.edu
X-Mailman-Approved-At: Fri, 15 Aug 2003 21:15:52 -0400
Subject: Bug in rd_cred.c?
X-BeenThere: krbdev@mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: Kerberos Developers Mailing List <krbdev.mit.edu>
List-Help: <mailto:krbdev-request@mit.edu?subject=help>
List-Post: <mailto:krbdev@mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
<mailto:krbdev-request@mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/krbdev>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
<mailto:krbdev-request@mit.edu?subject=unsubscribe>
Sender: krbdev-bounces@MIT.EDU
Errors-To: krbdev-bounces@MIT.EDU
X-Spam-Status: No, hits=-0.1 required=5.0 tests=SUBJ_ENDS_IN_Q_MARK
version=2.20
X-Spam-Level:
MIME-Version: 1.0

In decrypt_credencdata, there is the following code:

/* now decode the decrypted stuff */
if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
goto cleanup_encpart;

*pcredenc = *ppart;
retval = 0;

cleanup_encpart:
memset(ppart, 0, sizeof(*ppart));
krb5_xfree(ppart);


However, it appears that decode_krb5_enc_cred_part,
cleans up and deallocates ppart if it fails, resulting
in use freeing it a second time when we do krb5_xfree().

This latter causes a crash in malloc in the server
we're writting.

Now, this is the first time I've ever looked at the
krb5 code, so I could be mistaken in my analysis.

When I change goto cleanup_encpart to goto cleanup,
however, my server no longer crashes, and I get
a nice "ASN.1 identifier doesn't match expected value"
error.

- Joseph

Show quoted text
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
From: hartmans@mit.edu
Subject: CVS Commit
Don't double free the encrypted credential part.


To generate a diff of this commit:



cvs diff -r5.421 -r5.422 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.42 -r5.43 krb5/src/lib/krb5/krb/rd_cred.c
From: lxs@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r5.378.2.27 -r5.378.2.28 krb5/src/lib/krb5/krb/ChangeLog
From: lxs@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r5.41.2.1 -r5.41.2.2 krb5/src/lib/krb5/krb/rd_cred.c
From: imc_dl@t-online.de
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #1731] CVS Commit
Date: Tue, 26 Aug 2003 09:03:30 +0200 (CEST)
RT-Send-Cc:
How can I unsubscribe from Kerberos?
Thanks for information