Skip Menu |
 

Subject: Crash on exit in mitkfw 2.6.5 after krb5_copy_cred call in cc_mslsa.c
The applied patch in ticket 2870 did not fix the problem.
A previously unreported but crucial piece of information. The crash
only occurs if the requested service ticket does not previously exist in
the LSA ccache.

I think I now have a test case I can use to reproduce the crash.
Download (untitled) / with headers
text/plain 2.5KiB
Andrei:

Please try the following patches:

Index: copy_princ.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/copy_princ.c,v
retrieving revision 5.24
diff -u -w -r5.24 copy_princ.c
--- copy_princ.c 3 Sep 2002 01:13:45 -0000 5.24
+++ copy_princ.c 15 Jan 2005 03:11:37 -0000
@@ -60,31 +60,35 @@
for (i = 0; i < nelems; i++) {
unsigned int len = krb5_princ_component(context, inprinc,
i)->length;
krb5_princ_component(context, tempprinc, i)->length = len;
+ if (len) {
if (((krb5_princ_component(context, tempprinc, i)->data =
- malloc(len)) == 0) && len) {
+ malloc(len)) == 0)) {
while (--i >= 0)
free(krb5_princ_component(context, tempprinc, i)->data);
free (tempprinc->data);
free (tempprinc);
return ENOMEM;
}
- if (len)
memcpy(krb5_princ_component(context, tempprinc, i)->data,
krb5_princ_component(context, inprinc, i)->data, len);
+ } else
+ krb5_princ_component(context, tempprinc, i)->data = 0;
}

+ if (tempprinc->realm.length) {
tempprinc->realm.data =
malloc(tempprinc->realm.length = inprinc->realm.length);
- if (!tempprinc->realm.data && tempprinc->realm.length) {
+ if (!tempprinc->realm.data) {
for (i = 0; i < nelems; i++)
free(krb5_princ_component(context, tempprinc, i)->data);
free(tempprinc->data);
free(tempprinc);
return ENOMEM;
}
- if (tempprinc->realm.length)
memcpy(tempprinc->realm.data, inprinc->realm.data,
inprinc->realm.length);
+ } else
+ tempprinc->realm.data = 0;

*outprinc = tempprinc;
return 0;

Index: cp_key_cnt.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/cp_key_cnt.c,v
retrieving revision 5.12
diff -u -w -r5.12 cp_key_cnt.c
--- cp_key_cnt.c 3 Sep 2002 01:13:45 -0000 5.12
+++ cp_key_cnt.c 15 Jan 2005 03:11:37 -0000
@@ -36,9 +36,12 @@
krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock
*from, krb5_keyblock *to)
{
*to = *from;
+ if (to->length) {
to->contents = (krb5_octet *)malloc(to->length);
if (!to->contents)
return ENOMEM;
memcpy((char *)to->contents, (char *)from->contents, to->length);
+ } else
+ to->contents = 0;
return 0;
}
From: jaltman@mit.edu
Subject: CVS Commit
* cp_key_cnt.c, copy_princ.c:
prevent krb5_copy_principal() and krb5_copy_keyblock() from
calling malloc(0). On platforms in which malloc(0) returns
NULL, these functions will return an ENOMEM error the way
they were written.


To generate a diff of this commit:



cvs diff -r5.457 -r5.458 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.24 -r5.25 krb5/src/lib/krb5/krb/copy_princ.c
cvs diff -r5.12 -r5.13 krb5/src/lib/krb5/krb/cp_key_cnt.c
Confirmation has been received from Andrei that the patch does indeed
prevent the random memory corruption.
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r5.455.2.1 -r5.455.2.2 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.24 -r5.24.10.1 krb5/src/lib/krb5/krb/copy_princ.c
cvs diff -r5.12 -r5.12.10.1 krb5/src/lib/krb5/krb/cp_key_cnt.c