Skip Menu |

Download (untitled) / with headers
text/plain 4.2KiB
From Mon Jul 14 21:13:15 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id VAA09018 for <bugs@RT-11.MIT.EDU>; Mon, 14 Jul 1997 21:13:14 -0400
Received: from by MIT.EDU with SMTP
id AA21016; Mon, 14 Jul 97 21:11:59 EDT
Received: (from wolfgang@localhost)
by (8.8.6/8.8.6) id SAA16178;
Mon, 14 Jul 1997 18:13:13 -0700 (PDT)
Message-Id: <>
Date: Mon, 14 Jul 1997 18:13:13 -0700 (PDT)
From: Wolfgang Rupprecht <>
To: krb5-bugs@MIT.EDU
Subject: kdc dumps core with require-preauth
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 444
>Category: krb5-kdc
>Synopsis: kdc (and secondaries) dump core with preauth
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Jul 14 21:14:00 EDT 1997
>Last-Modified: Tue Jul 15 02:06:01 EDT 1997
>Originator: Wolfgang Rupprecht
W S Rupprecht Computer Consulting, Fremont CA
Show quoted text
>Release: 1.0pl1
System: NetBSD 1.2G NetBSD 1.2G (WSRCC) #1: Sun Jul 13 07:31:42 PDT 1997 i386

Also seen under SunOS 4.1.4 on a sparc ss5 w. gcc -02.

Show quoted text
the kdc (and secondaries) dump core when a principal that has the
require-preauth attr. set tries to kinit.
Show quoted text
modprinc +requires_preauth test
(wait for it to propagate)
kinit test
<blam> (all kdc's in realm take a snooze.)

Show quoted text

Program received signal SIGSEGV (11), Segmentation fault
0x4010e41f in memset ()
(gdb) bt
Reading in symbols for ../../kdc/kdc_preauth.c...
debug info mismatch between compiler and debugger...done.
Reading in symbols for ../../kdc/do_as_req.c...done.
Reading in symbols for ../../kdc/dispatch.c...done.
Reading in symbols for ../../kdc/network.c...done.
#0 0x4010e41f in memset ()
#1 0x400a489c in krb5_free_etype_info ()
#2 0x5f92 in get_preauth_hint_list (request=0x16180, client=0xf7bfc718,
server=0xf7bfc6d8, e_data=0xf7bfc5e4) at ../../kdc/kdc_preauth.c:207
#3 0x21c0 in process_as_req (request=0x16180, from=0x0, portnum=88,
response=0xf7bfc7a4) at ../../kdc/do_as_req.c:293
#4 0x1985 in dispatch (pkt=0xf7bfd7b4, from=0xf7bfc7a8, portnum=88,
response=0xf7bfc7a4) at ../../kdc/dispatch.c:62
#5 0xa751 in process_packet (port_fd=16, prog=0xf7bfd959 "krb5kdc",
portnum=88) at ../../kdc/network.c:177
#6 0xa941 in listen_and_process (prog=0xf7bfd959 "krb5kdc")
at ../../kdc/network.c:221
#7 0xa2d4 in main (argc=2, argv=0xf7bfd880) at ../../kdc/main.c:912

It appears that the memset sees an uninitialized length and proceeds
to clear half of memory. Here is one possible fix.

cd /u/src/krb5-1.0pl1/src/kdc/
diff -c /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c.\~1\~ /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c
*** /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c.~1~ Wed Apr 2 23:42:18 1997
--- /u/src/krb5-1.0pl1/src/kdc/kdc_preauth.c Mon Jul 14 17:59:20 1997
*** 622,627 ****
--- 622,630 ----
char inputblock[8];
krb5_data predict_response;

+ /* XXX: mostly for the memset() at cleanup at the end. -wsr */
+ memset (&encrypting_key, 0, sizeof(encrypting_key));
/* Given the client name we can figure out what type of preauth
they need. The spec is currently for querying the database for
names that match the types of preauth used. Later we should

Diff finished at Mon Jul 14 18:01:35
Show quoted text

Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Tue Jul 15 02:02:13 1997

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Tue Jul 15 02:02:33 1997

src/kdc/kdc_preauth.c 5.15

From: Tom Yu <tlyu@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/444: kdc (and secondaries) dump core with preauth
Date: Tue, 15 Jul 1997 02:04:54 -0400

Thanks for your bug report; the problem has been fixed in our master

Show quoted text