Skip Menu |
 

Subject: krb5_get_init_creds_keytab() corrupts keytab structure
When starting the 1st iteration through the keytab file after calling krb5_kt_default(),
calls to krb5_get_init_creds_keytab() will NULL out the FILE * in the krb5_keytab
structure. Subsequent iterations will crash the program with a NULL pointer dereference.
See attached sample program.
Download main.c
text/plain 2.3KiB
#include <Kerberos/Kerberos.h>
#include <stdio.h>

/****************************************************************************
* Enumerates the domains.
****************************************************************************/
static
void
enumerateDomains(
void )
{
/* Get context. */
krb5_context kcontext;

if( krb5_init_context( &kcontext ) == 0 )
{
/* Get a handle to the keytab file. */
krb5_keytab keytab = NULL;

if( krb5_kt_default( kcontext, &keytab ) == 0 )
{
/* Setup keytab iteration objects. */
krb5_kt_cursor cursor;

memset( &cursor, 0, sizeof( cursor ) );
if( krb5_kt_start_seq_get( kcontext, keytab, &cursor ) == 0 )
{
/* Iterate through keytab entries. */
krb5_keytab_entry entry;

memset( &entry, 0, sizeof( entry ) );
while( krb5_kt_next_entry(
kcontext, keytab, &entry, &cursor ) == 0 )
{
char * unparsed_name = NULL;

if( krb5_unparse_name(
kcontext, entry.principal, &unparsed_name ) == 0 )
{
krb5_creds host_creds;

if( krb5_get_init_creds_keytab(
kcontext, &host_creds, entry.principal,
keytab, 0, NULL, NULL ) == 0 )
{
int ttl = host_creds.times.endtime - time( NULL );

if( ttl < 0 )
{
ttl = 0;
}

printf( "Domain = %s, TTL = %d\n", unparsed_name, ttl );
//krb5_free_cred_contents( kcontext, &host_creds );
}
}

//krb5_free_keytab_entry_contents( kcontext, &entry );
}

krb5_kt_end_seq_get( kcontext, keytab, &cursor );
}

krb5_kt_close( kcontext, keytab );
}

krb5_free_context( kcontext );
}
}
/****************************************************************************/

int main( int argc, const char ** argv )
{
enumerateDomains();
return 0;
}
To: rt@krbdev.mit.edu
Subject: [krbdev.mit.edu #2198] Not sure this is a bug
Date: Mon, 15 Mar 2004 15:18:53 -0500 (EST)
From: hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:

It seems that higher level keytab access routines like
krb5_kt_get_entry are built on the lower level sequential get
operations. And these entries delete the cursor when they are done.

krb5_get_init_creds_keytab is an even higher level operation.

It doesn't seem unreasonable to me to simply document this
behavior--that higher level op.erations will reuse the same cursor and
thus interrupt a sequential get.