From krb5-bugs-incoming-bounces@PCH.mit.edu Sat Apr 22 22:09:00 2006
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id WAA25446; Sat, 22 Apr 2006 22:09:00 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k3N28PMF027605
for <krb5-send-pr@krbdev.mit.edu>; Sat, 22 Apr 2006 22:08:25 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k3LDd5J5005237
for <krb5-bugs-incoming@PCH.mit.edu>; Fri, 21 Apr 2006 09:39:05 -0400
Received: from farside.sncag.com ([217.111.56.2])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
k3LDd7NM021001
for <krb5-bugs@mit.edu>; Fri, 21 Apr 2006 09:39:07 -0400 (EDT)
Received: from farside.sncag.com (localhost [127.0.0.1])
by farside.sncag.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id
k3LDd6Y1015047
for <krb5-bugs@mit.edu>; Fri, 21 Apr 2006 15:39:06 +0200
Received: (from rw@localhost)
by farside.sncag.com (8.13.4/8.13.4/Submit) id k3LDd6GD015044;
Fri, 21 Apr 2006 15:39:06 +0200
Date: Fri, 21 Apr 2006 15:39:06 +0200
From: Rainer Weikusat <rainer.weikusat@sncag.com>
Message-Id: <200604211339.k3LDd6GD015044@farside.sncag.com>
To: krb5-bugs@mit.edu
Subject: Incorrect error check in src/lib/krb5/keytab/kt_file.c
X-send-pr-version: 3.99
X-Spam-Score: -2.599
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Sat, 22 Apr 2006 22:08:24 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: rainer.weikusat@sncag.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator: Rainer Weikusat
>Organization: SNC AG
>Confidential: no
>Synopsis: EOF mistakenly interpreted as error causes re-use of closed stream
>Category: krb5-libs
>Class: sw-bug
>Release: 1.4.3
>Environment:
System: Linux farside 2.6.16.9 #3 Wed Apr 19 11:30:29 CEST 2006 i686 GNU/Linux
Architecture: i686
Show quoted text
>Description:
The file mentioned in the subject contains the following code section,
which is supposed to deal with read errors occuring during an attempted
kvno read from an existing keytab file:
if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
if (feof(KTFILEP(id))) kerror = KRB5_KT_END;
else kerror = errno;
(void) krb5_unlock_file(context, fileno(KTFILEP(id)));
(void) fclose(KTFILEP(id));
return kerror;
}
This is incorrect, because xfread (fread) can return zero if the file exists
and is empty, with errno also being zero (because no error ocurred), which
will lead to the stream being closed without an error indication passed up
to the caller (which, in my case, will proceed with calling fseek on the
closed stream, returning KRB5_KT_END as EINVAL-in-disguise and finally
crashing inside malloc while trying to format an error message to be
printed describing this error (add codepath)).
Show quoted text
>How-To-Repeat:
Call krb5_kt_add_entry w/ a keytab id refering to a file that exists
and is empty and try to print an error message via (Linux/Gnu) vsyslog
afterwards.
Show quoted text
>Fix:
--- src/lib/krb5/keytab/kt_file.c 19 Mar 2006 14:42:00 -0000 1.1.1.1
+++ src/lib/krb5/keytab/kt_file.c 21 Apr 2006 13:14:34 -0000 1.2
@@ -1107,7 +1107,9 @@
} else {
/* gotta verify it instead... */
if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
- kerror = errno;
+ if (feof(KTFILEP(id))) kerror = KRB5_KT_END;
+ else kerror = errno;
+
(void) krb5_unlock_file(context, fileno(KTFILEP(id)));
(void) fclose(KTFILEP(id));
return kerror;