Skip Menu |

Download (untitled) / with headers
text/plain 3.9KiB
From kdrenard@ARL.MIL Fri Jan 31 14:43:09 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA27497 for <bugs@RT-11.MIT.EDU>; Fri, 31 Jan 1997 14:43:09 -0500
Received: from by MIT.EDU with SMTP
id AA10084; Fri, 31 Jan 97 14:43:06 EST
Message-Id: <9701311442.aa02426@SMOKEY.ARL.MIL>
Date: Fri, 31 Jan 97 14:42:57 EST
From: "Kenneth D. Renard" (CICC/HPCD) <kdrenard@ARL.MIL>
To: krb5-bugs@MIT.EDU
Cc: kdrenard@ARL.MIL
Subject: Bug Report

Show quoted text
>Number: 361
>Category: krb5-kdc
>Synopsis: KDC crashes on incompatible kvno/keytypes
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Jan 31 14:44:01 EST 1997
>Last-Modified: Fri May 30 15:56:37 EDT 1997
>Originator: Kenneth D. Renard <kdrenard>
Army Research Lab
Show quoted text
>Release: 1.0 (plus, b6, and probably b7)
System: SunOS 5.5.1 Generic_103640-03 sun4u sparc SUNW,Ultra-1
Architecture: sun4

Show quoted text
In lib/kdb/keytab.c, return value from krb5_dbe_find_enctype()
is not checked. If an error occurs and key_data is not returned
correctly, next call to krb5_dbekd_decrypt_key_data() chokes on
invalid pointer and crashes KDC.

Show quoted text
(Error observed on Beta6 KDC, but code is the same in v1.0.)
A cross-realm principal was created in both realms:
REALM1: krbtgt/REALM2@REALM1 kvno = 1
REALM2: krbtgt/REALM2@REALM1 kvno = 2
A cross-realm authentication attempt was made from REALM1 to REALM2.
REALM2 looked up krbtgt/REALM2@REALM1 in krb5_ktkdb_get_entry()
(keytab.c line 117). The call to krb5_dbe_find_enctype() (keytab.c
line 130) was unsuccessful in matching kvnos and returned ENOENT
without filling in the krb5_key_data pointer.

krb5_ktkdb_get_entry() ingored this error code and the following call
to krb5_dbekd_decrypt_key_data() choked when passed a bogus
krb5_key_data pointer and dumped core.

Show quoted text

Check return value of krb5_dbe_find_enctype() call

RCS file: RCS/keytab.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -c -r1.1 -r1.2
*** /tmp/T0a02311 Fri Jan 31 14:38:57 1997
--- /tmp/T1a02311 Fri Jan 31 14:38:57 1997
*** 127,133 ****
/* match key */
krb5_dbm_db_get_mkey(context, id->ops, &master_key);
! krb5_dbe_find_enctype(context, &db_entry, enctype, -1, kvno, &key_data);

if (kerror = krb5_dbekd_decrypt_key_data(context, master_key, key_data,
&entry->key, NULL))
--- 127,135 ----
/* match key */
krb5_dbm_db_get_mkey(context, id->ops, &master_key);
! if (kerror = krb5_dbe_find_enctype(context, &db_entry, enctype, -1, kvno,
! &key_data))
! goto error;

if (kerror = krb5_dbekd_decrypt_key_data(context, master_key, key_data,
&entry->key, NULL))
Show quoted text

State-Changed-From-To: open-analyzed
State-Changed-By: tlyu
State-Changed-When: Sun Mar 16 02:29:05 1997

This patch looks ok... I'll see about applying it soon.

State-Changed-From-To: analyzed-feedback
State-Changed-By: tlyu
State-Changed-When: Sun Mar 16 21:23:07 1997

Patch committed, with some changes. This should go into 1.0p1.
lib/kdb/keytab.c 5.7

Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Mon Mar 17 13:07:29 1997

should have changed to me...

State-Changed-From-To: feedback-closed
State-Changed-By: tlyu
State-Changed-When: Fri May 30 15:56:21 1997

1.0pl1 has been released

Show quoted text
X-send-pr-version: 3.99