From buhr@mozart.stat.wisc.edu Wed Aug 6 13:29:41 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA26976 for <bugs@RT-11.MIT.EDU>; Wed, 6 Aug 1997 13:29:36 -0400
Received: from mozart.stat.wisc.edu by MIT.EDU with SMTP
id AA24317; Wed, 6 Aug 97 13:29:34 EDT
Received: by mozart.stat.wisc.edu
id m0ww9tq-0000YvC
(Debian Smail-3.2 1996-Jul-4 #2); Wed, 6 Aug 1997 12:29:30 -0500 (CDT)
Message-Id: <vbaafivp6dh.fsf@mozart.stat.wisc.edu>
Date: 06 Aug 1997 12:29:30 -0500
From: buhr@stat.wisc.edu (Kevin Buhr)
To: krb5-bugs@MIT.EDU
Subject: NULL pointer dereference in "krb5_rd_cred_basic"
System: Linux mozart 2.1.47 #18 Tue Aug 5 13:07:37 CDT 1997 i486 unknown
Architecture: i486
that is tickled by Beta 4 "rsh" and "rlogin" clients. The relevant
snippet of code starts at line 108 of "src/lib/krb5/krb/rd_cred.c":
if (pkeyblock != NULL) {
if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup_cred;
}
}
No guarantee is made that the "encpart.s_address" is non-NULL before
this call to "krb5_address_compare".
When a Beta 4 "rsh" client is used to connect to a 1.0pl1 "kshd"
server with credentials forwarding, it creates a credentials structure
with NULL "sender_addr" and "recv_addr" fields. As a result, the
1.0pl1 server crashes when it passes the NULL encpart.s_address to
"krb5_address_compare".
The visible symptoms are that the client aborts with:
kcmd: bad connection with remote host
and retries using non-Kerberos "rsh".
rsh -F newish-server echo test
with regards to the security implications:
diff -u -r1.1 src/lib/krb5/krb/rd_cred.c
--- src/lib/krb5/krb/rd_cred.c 1997/08/06 00:00:25 1.1
+++ src/lib/krb5/krb/rd_cred.c 1997/08/06 00:00:31
@@ -105,7 +105,7 @@
* protected by encryption. If it came in the checksum field of
* an init_sec_context message, skip over this check.
*/
- if (pkeyblock != NULL) {
+ if (remote_addr && encpart.s_address && pkeyblock != NULL) {
if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup_cred;
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Fri Aug 8 18:04:45 1997
Responsible-Changed-Why:
mine
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Fri Aug 8 18:04:52 1997
State-Changed-Why:
Fixed.
lib/krb5/krb/rd_cred.c 5.31
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA26976 for <bugs@RT-11.MIT.EDU>; Wed, 6 Aug 1997 13:29:36 -0400
Received: from mozart.stat.wisc.edu by MIT.EDU with SMTP
id AA24317; Wed, 6 Aug 97 13:29:34 EDT
Received: by mozart.stat.wisc.edu
id m0ww9tq-0000YvC
(Debian Smail-3.2 1996-Jul-4 #2); Wed, 6 Aug 1997 12:29:30 -0500 (CDT)
Message-Id: <vbaafivp6dh.fsf@mozart.stat.wisc.edu>
Date: 06 Aug 1997 12:29:30 -0500
From: buhr@stat.wisc.edu (Kevin Buhr)
To: krb5-bugs@MIT.EDU
Subject: NULL pointer dereference in "krb5_rd_cred_basic"
Show quoted text
>Number: 456
>Category: krb5-libs
>Synopsis: NULL pointer dereference in "krb5_rd_cred_basic"
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Aug 06 13:30:01 EDT 1997
>Last-Modified: Fri Aug 08 18:05:15 EDT 1997
>Originator: Kevin Buhr
>Organization:
University of Wisconsin---Madison>Category: krb5-libs
>Synopsis: NULL pointer dereference in "krb5_rd_cred_basic"
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Aug 06 13:30:01 EDT 1997
>Last-Modified: Fri Aug 08 18:05:15 EDT 1997
>Originator: Kevin Buhr
>Organization:
Show quoted text
>Release: 1.0pl1
>Environment:
<machine, os, target, libraries (multiple lines)>>Environment:
System: Linux mozart 2.1.47 #18 Tue Aug 5 13:07:37 CDT 1997 i486 unknown
Architecture: i486
Show quoted text
>Description:
There is a potential NULL pointer dereference in "krb5_rd_cred_basic"that is tickled by Beta 4 "rsh" and "rlogin" clients. The relevant
snippet of code starts at line 108 of "src/lib/krb5/krb/rd_cred.c":
if (pkeyblock != NULL) {
if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup_cred;
}
}
No guarantee is made that the "encpart.s_address" is non-NULL before
this call to "krb5_address_compare".
When a Beta 4 "rsh" client is used to connect to a 1.0pl1 "kshd"
server with credentials forwarding, it creates a credentials structure
with NULL "sender_addr" and "recv_addr" fields. As a result, the
1.0pl1 server crashes when it passes the NULL encpart.s_address to
"krb5_address_compare".
The visible symptoms are that the client aborts with:
kcmd: bad connection with remote host
and retries using non-Kerberos "rsh".
Show quoted text
>How-To-Repeat:
Connect to a 1.0pl1 server with a Beta 4 "rsh" client using:rsh -F newish-server echo test
Show quoted text
>Fix:
I'm using the following, obvious, patch, but am completely cluelesswith regards to the security implications:
diff -u -r1.1 src/lib/krb5/krb/rd_cred.c
--- src/lib/krb5/krb/rd_cred.c 1997/08/06 00:00:25 1.1
+++ src/lib/krb5/krb/rd_cred.c 1997/08/06 00:00:31
@@ -105,7 +105,7 @@
* protected by encryption. If it came in the checksum field of
* an init_sec_context message, skip over this check.
*/
- if (pkeyblock != NULL) {
+ if (remote_addr && encpart.s_address && pkeyblock != NULL) {
if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup_cred;
Show quoted text
>Audit-Trail:
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Fri Aug 8 18:04:45 1997
Responsible-Changed-Why:
mine
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Fri Aug 8 18:04:52 1997
State-Changed-Why:
Fixed.
lib/krb5/krb/rd_cred.c 5.31
Show quoted text
>Unformatted: