From wolfgang@wsrcc.com Mon Jul 14 21:13:15 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id VAA09018 for <bugs@RT-11.MIT.EDU>; Mon, 14 Jul 1997 21:13:14 -0400
Received: from c460058-a.frmt1.sfba.home.com by MIT.EDU with SMTP
id AA21016; Mon, 14 Jul 97 21:11:59 EDT
Received: (from wolfgang@localhost)
by capsicum.wsrcc.com (8.8.6/8.8.6) id SAA16178;
Mon, 14 Jul 1997 18:13:13 -0700 (PDT)
Message-Id: <199707150113.SAA16178@capsicum.wsrcc.com>
Date: Mon, 14 Jul 1997 18:13:13 -0700 (PDT)
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
Reply-To: wolfgang@wsrcc.com
To: krb5-bugs@MIT.EDU
Subject: kdc dumps core with require-preauth
X-Send-Pr-Version: 3.99
Also seen under SunOS 4.1.4 on a sparc ss5 w. gcc -02.
require-preauth attr. set tries to kinit.
modprinc +requires_preauth test
^D
(wait for it to propagate)
kinit test
<blam> (all kdc's in realm take a snooze.)
Program received signal SIGSEGV (11), Segmentation fault
0x4010e41f in memset ()
(gdb) bt
Reading in symbols for ../../kdc/kdc_preauth.c...
debug info mismatch between compiler and debugger...done.
Reading in symbols for ../../kdc/do_as_req.c...done.
Reading in symbols for ../../kdc/dispatch.c...done.
Reading in symbols for ../../kdc/network.c...done.
#0 0x4010e41f in memset ()
#1 0x400a489c in krb5_free_etype_info ()
#2 0x5f92 in get_preauth_hint_list (request=0x16180, client=0xf7bfc718,
server=0xf7bfc6d8, e_data=0xf7bfc5e4) at ../../kdc/kdc_preauth.c:207
#3 0x21c0 in process_as_req (request=0x16180, from=0x0, portnum=88,
response=0xf7bfc7a4) at ../../kdc/do_as_req.c:293
#4 0x1985 in dispatch (pkt=0xf7bfd7b4, from=0xf7bfc7a8, portnum=88,
response=0xf7bfc7a4) at ../../kdc/dispatch.c:62
#5 0xa751 in process_packet (port_fd=16, prog=0xf7bfd959 "krb5kdc",
portnum=88) at ../../kdc/network.c:177
#6 0xa941 in listen_and_process (prog=0xf7bfd959 "krb5kdc")
at ../../kdc/network.c:221
#7 0xa2d4 in main (argc=2, argv=0xf7bfd880) at ../../kdc/main.c:912
It appears that the memset sees an uninitialized length and proceeds
to clear half of memory. Here is one possible fix.
cd /u/src/krb5-1.0pl1/src/kdc/
diff -c /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c.\~1\~ /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c
*** /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c.~1~ Wed Apr 2 23:42:18 1997
--- /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c Mon Jul 14 17:59:20 1997
***************
*** 622,627 ****
--- 622,630 ----
char inputblock[8];
krb5_data predict_response;
+ /* XXX: mostly for the memset() at cleanup at the end. -wsr */
+ memset (&encrypting_key, 0, sizeof(encrypting_key));
+
/* Given the client name we can figure out what type of preauth
they need. The spec is currently for querying the database for
names that match the types of preauth used. Later we should
Diff finished at Mon Jul 14 18:01:35
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Tue Jul 15 02:02:13 1997
Responsible-Changed-Why:
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Tue Jul 15 02:02:33 1997
State-Changed-Why:
Fixed
src/kdc/kdc_preauth.c 5.15
From: Tom Yu <tlyu@MIT.EDU>
To: wolfgang@wsrcc.com
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/444: kdc (and secondaries) dump core with preauth
Date: Tue, 15 Jul 1997 02:04:54 -0400
Thanks for your bug report; the problem has been fixed in our master
sources.
---Tom
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id VAA09018 for <bugs@RT-11.MIT.EDU>; Mon, 14 Jul 1997 21:13:14 -0400
Received: from c460058-a.frmt1.sfba.home.com by MIT.EDU with SMTP
id AA21016; Mon, 14 Jul 97 21:11:59 EDT
Received: (from wolfgang@localhost)
by capsicum.wsrcc.com (8.8.6/8.8.6) id SAA16178;
Mon, 14 Jul 1997 18:13:13 -0700 (PDT)
Message-Id: <199707150113.SAA16178@capsicum.wsrcc.com>
Date: Mon, 14 Jul 1997 18:13:13 -0700 (PDT)
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
Reply-To: wolfgang@wsrcc.com
To: krb5-bugs@MIT.EDU
Subject: kdc dumps core with require-preauth
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 444
>Category: krb5-kdc
>Synopsis: kdc (and secondaries) dump core with preauth
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Jul 14 21:14:00 EDT 1997
>Last-Modified: Tue Jul 15 02:06:01 EDT 1997
>Originator: Wolfgang Rupprecht
>Organization:
W S Rupprecht Computer Consulting, Fremont CA>Category: krb5-kdc
>Synopsis: kdc (and secondaries) dump core with preauth
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Jul 14 21:14:00 EDT 1997
>Last-Modified: Tue Jul 15 02:06:01 EDT 1997
>Originator: Wolfgang Rupprecht
>Organization:
Show quoted text
>Release: 1.0pl1
>Environment:
System: NetBSD capsicum.wsrcc.com 1.2G NetBSD 1.2G (WSRCC) #1: Sun Jul 13 07:31:42 PDT 1997 root@capsicum.wsrcc.com:/v/netbsd-current/sys/arch/i386/compile/WSRCC i386>Environment:
Also seen under SunOS 4.1.4 on a sparc ss5 w. gcc -02.
Show quoted text
>Description:
the kdc (and secondaries) dump core when a principal that has therequire-preauth attr. set tries to kinit.
Show quoted text
>How-To-Repeat:
kadmin.localmodprinc +requires_preauth test
^D
(wait for it to propagate)
kinit test
<blam> (all kdc's in realm take a snooze.)
Show quoted text
>Fix:
Program received signal SIGSEGV (11), Segmentation fault
0x4010e41f in memset ()
(gdb) bt
Reading in symbols for ../../kdc/kdc_preauth.c...
debug info mismatch between compiler and debugger...done.
Reading in symbols for ../../kdc/do_as_req.c...done.
Reading in symbols for ../../kdc/dispatch.c...done.
Reading in symbols for ../../kdc/network.c...done.
#0 0x4010e41f in memset ()
#1 0x400a489c in krb5_free_etype_info ()
#2 0x5f92 in get_preauth_hint_list (request=0x16180, client=0xf7bfc718,
server=0xf7bfc6d8, e_data=0xf7bfc5e4) at ../../kdc/kdc_preauth.c:207
#3 0x21c0 in process_as_req (request=0x16180, from=0x0, portnum=88,
response=0xf7bfc7a4) at ../../kdc/do_as_req.c:293
#4 0x1985 in dispatch (pkt=0xf7bfd7b4, from=0xf7bfc7a8, portnum=88,
response=0xf7bfc7a4) at ../../kdc/dispatch.c:62
#5 0xa751 in process_packet (port_fd=16, prog=0xf7bfd959 "krb5kdc",
portnum=88) at ../../kdc/network.c:177
#6 0xa941 in listen_and_process (prog=0xf7bfd959 "krb5kdc")
at ../../kdc/network.c:221
#7 0xa2d4 in main (argc=2, argv=0xf7bfd880) at ../../kdc/main.c:912
It appears that the memset sees an uninitialized length and proceeds
to clear half of memory. Here is one possible fix.
cd /u/src/krb5-1.0pl1/src/kdc/
diff -c /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c.\~1\~ /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c
*** /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c.~1~ Wed Apr 2 23:42:18 1997
--- /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c Mon Jul 14 17:59:20 1997
***************
*** 622,627 ****
--- 622,630 ----
char inputblock[8];
krb5_data predict_response;
+ /* XXX: mostly for the memset() at cleanup at the end. -wsr */
+ memset (&encrypting_key, 0, sizeof(encrypting_key));
+
/* Given the client name we can figure out what type of preauth
they need. The spec is currently for querying the database for
names that match the types of preauth used. Later we should
Diff finished at Mon Jul 14 18:01:35
Show quoted text
>Audit-Trail:
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Tue Jul 15 02:02:13 1997
Responsible-Changed-Why:
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Tue Jul 15 02:02:33 1997
State-Changed-Why:
Fixed
src/kdc/kdc_preauth.c 5.15
From: Tom Yu <tlyu@MIT.EDU>
To: wolfgang@wsrcc.com
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/444: kdc (and secondaries) dump core with preauth
Date: Tue, 15 Jul 1997 02:04:54 -0400
Thanks for your bug report; the problem has been fixed in our master
sources.
---Tom
Show quoted text
>Unformatted: