Ticket History #2870: Crash on exit in mitkfw 2.6.5

Hi,

There are two problems discovered in cc_mslsa.c implementation in kfw
2.6.5

- support for japanese charset
- crash on exit when using gssapi with MSLSA: cache type

Support for japanese is fixed in unicode2ascii routines (Jeff Altman
provided the fix)

+ if (CodePageInfo.MaxCharSize > 1) {
...

Crash on exit is fixed by changing code in krb5_lcc_retrieve -
commenting out krb5_copy_creds and replacing it with the following code:

/* keisa - do not copy - instead just change enctype and flags on
existing ticket */
/* krb5_copy_creds(context, mcreds, &mcreds_noflags); */
mcreds_noflags = mcreds;

mcreds_noflags->ticket_flags = 0;
mcreds_noflags->keyblock.enctype = 0;

if (!GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId,
context, mcreds_noflags, &msticket)) {
kret = KRB5_CC_NOTFOUND;
goto cleanup;
}

mcreds_noflags = 0;
mcreds->ticket_flags = ticket_flags;
mcreds->keyblock.enctype = enctype;

Instead of copying to a new ticket with 0 flags, modify flags on
existing ticket, perform GetMSCacheTicketFromMITCred and then revert
flags back to original value.

If these lines are not changed, it will result in app crash on exit.

Complete diff -u attached.

Regards,
Andrei.
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited.

Andrei:

Please try the patch I have attached to this ticket and see if it
resolves your problems.

Thanks.

Jeffrey Altman

? cc_mslsa.c.foo
? obj
? rs_state.ini
? ccapi/obj
Index: cc_mslsa.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/ccache/cc_mslsa.c,v
retrieving revision 5.38
diff -u -r5.38 cc_mslsa.c
--- cc_mslsa.c 16 Dec 2004 19:57:17 -0000 5.38
+++ cc_mslsa.c 11 Jan 2005 21:33:44 -0000
@@ -2369,7 +2369,7 @@
krb5_error_code kret = KRB5_OK;
krb5_lcc_data *data = (krb5_lcc_data *)id->data;
KERB_EXTERNAL_TICKET *msticket = 0, *mstgt = 0, *mstmp = 0;
- krb5_creds * mcreds_noflags;
+ krb5_creds * mcreds_noflags = 0;
krb5_creds fetchcreds;

if (!is_windows_2000())
@@ -2383,7 +2383,9 @@
return KRB5_OK;

/* if not, we must try to get a ticket without specifying any flags or etypes */
- krb5_copy_creds(context, mcreds, &mcreds_noflags);
+ kret = krb5_copy_creds(context, mcreds, &mcreds_noflags);
+ if (kret)
+ goto cleanup;
mcreds_noflags->ticket_flags = 0;
mcreds_noflags->keyblock.enctype = 0;

@@ -2492,7 +2494,7 @@
krb5_error_code kret = KRB5_OK;
krb5_lcc_data *data = (krb5_lcc_data *)id->data;
KERB_EXTERNAL_TICKET *msticket = 0, *msticket2 = 0;
- krb5_creds * creds_noflags;
+ krb5_creds * creds_noflags = 0;

if (!is_windows_2000())
return KRB5_FCC_NOFILE;
@@ -2506,12 +2508,14 @@
/* If not, lets try to obtain a matching ticket from the KDC */
if ( creds->ticket_flags != 0 && creds->keyblock.enctype != 0 ) {
/* if not, we must try to get a ticket without specifying any flags or etypes */
- krb5_copy_creds(context, creds, &creds_noflags);
- creds_noflags->ticket_flags = 0;
- creds_noflags->keyblock.enctype = 0;
+ kret = krb5_copy_creds(context, creds, &creds_noflags);
+ if (kret == 0) {
+ creds_noflags->ticket_flags = 0;
+ creds_noflags->keyblock.enctype = 0;

- GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, creds_noflags, &msticket2);
- krb5_free_creds(context, creds_noflags);
+ GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, creds_noflags, &msticket2);
+ krb5_free_creds(context, creds_noflags);
+ }
}

GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, creds, &msticket);

I attach the stack trace from msaccesss.exe.

I will test the patch you gave and let you know it it helped.

Thanks!