Skip Menu |
 

To: krb5-bugs@mit.edu
From: Sam Hartman <hartmans@debian.org>
Date: Sat, 04 Jun 2005 19:28:40 -0400
Subject: [Sergio Gelato] Bug#311977: libkrb53: gss_init_sec_context sometimes fails to initialise output_token
Download (untitled)
message/rfc822 3.8KiB
Return-Path: <debbugs@bugs.debian.org>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.16-IPv6-Debian-2.1.16-10) with LMTP;
Sat, 04 Jun 2005 11:24:08 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <debbugs@bugs.debian.org>
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
[18.72.1.2])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by suchdamage.org (Postfix) with ESMTP id 950391383D
for <hartmans@suchdamage.org>; Sat, 4 Jun 2005 11:24:07 -0400 (EDT)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])j54FO12l002825
for <hartmans@suchdamage.org>; Sat, 4 Jun 2005 11:24:01 -0400 (EDT)
Received: from spohr.debian.org (spohr.debian.org [140.211.166.43])
by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
j54FNpRx014157
for <hartmans@mit.edu>; Sat, 4 Jun 2005 11:23:51 -0400 (EDT)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
id 1DeaPu-0007cG-00; Sat, 04 Jun 2005 08:18:30 -0700
X-Loop: owner@bugs.debian.org
Subject: Bug#311977: libkrb53: gss_init_sec_context sometimes fails to
initialise output_token
Reply-To: Sergio Gelato <Sergio.Gelato@astro.su.se>,
311977-maintonly@bugs.debian.org
Resent-From: Sergio Gelato <Sergio.Gelato@astro.su.se>
Resent-To: Sam Hartman <hartmans@debian.org>
Resent-Date: Sat, 04 Jun 2005 15:18:28 UTC
Resent-Message-ID: <handler.311977.M.111789808127655@bugs.debian.org>
X-Debian-PR-Message: report 311977
X-Debian-PR-Package: libkrb53
X-Debian-PR-Keywords:
Received: via spool by maintonly@bugs.debian.org id=M.111789808127655
(code M ref -1); Sat, 04 Jun 2005 15:18:28 UTC
Received: (at maintonly) by bugs.debian.org; 4 Jun 2005 15:14:41 +0000
Received: from smtp3.su.se [130.237.93.228]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DeaMD-0007Bs-00; Sat, 04 Jun 2005 08:14:41 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
by smtp3.su.se (Postfix) with ESMTP id 18B9D37E83
for <maintonly@bugs.debian.org>;
Sat, 4 Jun 2005 17:14:39 +0200 (CEST)
Received: from smtp3.su.se ([127.0.0.1])
by localhost (smtp3.su.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP
id 14285-01-69 for <maintonly@bugs.debian.org>;
Sat, 4 Jun 2005 17:14:38 +0200 (CEST)
Received: from [172.16.0.2] (unknown [80.217.34.237])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp3.su.se (Postfix) with ESMTP id D54C337E60
for <maintonly@bugs.debian.org>;
Sat, 4 Jun 2005 17:14:38 +0200 (CEST)
Message-ID: <42A1C51C.20604@astro.su.se>
Date: Sat, 04 Jun 2005 17:13:32 +0200
From: Sergio Gelato <Sergio.Gelato@astro.su.se>
User-Agent: Debian Thunderbird 1.0.2 (X11/20050331)
X-Accept-Language: en-us, en
To: maintonly@bugs.debian.org
X-Virus-Scanned: by amavisd-new at smtp.su.se
Delivered-To: maintonly@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@bugs.debian.org>
X-Scanned-By: MIMEDefang 2.42
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
solipsist-nation.suchdamage.org
X-Spam-Level:
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00 autolearn=ham
version=3.0.2
MIME-Version: 1.0

Package: libkrb53
Version: 1.3.6-2

In investigating a suspicious "free(): invalid pointer" message from
ssh-krb5 3.8.1p1-7 I discovered that gss_init_sec_context() doesn't
always initialise output_token (setting output_token->length=0 would be
enough) as required by RFC 2744 section 5.19.

On the OpenSSH side, the problem is exposed by a call from
ssh_gssapi_check_mechanism() that occurs just before kex_setup(). It
would be easy to work around the problem at that point (e.g., by adding
a send_tok->length=0; in ssh_gssapi_init_ctx), but my reading of the API
specification is that gss_init_sec_context(), not the caller, is
responsible for initialising the output token.
The attached patch fixes this problem. Always initialize output_token
from gss_init_sec_context, even if passed an unknown mechanism. The
krb5 version already did this, but the generic code did not. This patch
is already in the Debian package. -- rra@stanford.edu
Download gss-initialize
application/octet-stream
[guest - Sat Dec 3 01:26:52 2005]:

Show quoted text
> The attached patch fixes this problem.

It apparently didn't attach. Trying this again.
Download gss-initialize
application/octet-stream 644B

Message body not shown because it is not plain text.

From: Russ Allbery <rra@stanford.edu>
Subject: CVS Commit
Always initialize the output token in gss_init_sec_context as required
by RFC 2744 section 5.19. The krb5 code did this but the generic code
didn't, causing a double-free in OpenSSH.

Commit By: rra



Revision: 18114
Changed Files:
U trunk/src/lib/gssapi/mechglue/g_init_sec_context.c