From krb5-bugs-incoming-bounces@PCH.mit.edu Mon Oct 30 18:37:08 2006
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id SAA02614; Mon, 30 Oct 2006 18:37:07 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k9UNab6X022524;
Mon, 30 Oct 2006 18:36:37 -0500
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k9UMQLbI001914
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 30 Oct 2006 17:26:21 -0500
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
k9UMQ4HK026412
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:26:04 -0500 (EST)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
by mit.edu (Spam Firewall) with ESMTP id 78D3885B1D
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:25:59 -0500 (EST)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254])
by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
k9UMPwrJ014954
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:25:58 -0500
Received: from localhost.localdomain (sparky.boston.redhat.com [172.16.80.55])
by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id
k9UMPw1q027469
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:25:58 -0500
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by localhost.localdomain (8.13.8/8.13.8) with ESMTP id k9UMHLB1008215
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:17:21 -0500
Received: (from nalin@localhost)
by localhost.localdomain (8.13.8/8.13.8/Submit) id k9UMHLg8008214;
Mon, 30 Oct 2006 17:17:21 -0500
Date: Mon, 30 Oct 2006 17:17:21 -0500
From: Nalin Dahyabhai <nalin@redhat.com>
Message-Id: <200610302217.k9UMHLg8008214@localhost.localdomain>
To: krb5-bugs@mit.edu
Subject: crasher in preauth plugin support
X-send-pr-version: 3.99
i686 athlon i386 GNU/Linux
Architecture: i686
X-Spam-Score: 0.00
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Mon, 30 Oct 2006 18:36:36 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
data, and there is at least one module loaded which implements
preauthentication and advertises that it replaces the key which is
used to encrypt the reply, the KDC will crash when it attempts to
compare the preauth type which the module implements with one or
more of the types of preauth data which the client supplied.
who does not have the requires_preauth flag set in the KDB entry.
===================================================================
--- src/kdc/kdc_preauth.c (revision 18750)
+++ src/kdc/kdc_preauth.c (working copy)
@@ -721,25 +721,28 @@
}
}
- /* Now sort just the modules which replace the key, placing those which
- * handle the pa_data types provided by the client ahead of the others. */
- for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
- continue;
- }
- n_key_replacers = i;
- for (i = 0; i < n_key_replacers; i++) {
- if (pa_list_includes(request->padata,
- preauth_systems[pa_order[i]].type))
- continue;
- for (j = i + 1; j < n_key_replacers; j++) {
- if (pa_list_includes(request->padata,
- preauth_systems[pa_order[j]].type)) {
- k = pa_order[j];
- pa_order[j] = pa_order[i];
- pa_order[i] = k;
- break;
- }
- }
- }
+ if (request->padata != NULL) {
+ /* Now reorder the subset of modules which replace the key, bubbling
+ * those which handle pa_data types provided by the client ahead of the
+ * others. */
+ for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
+ continue;
+ }
+ n_key_replacers = i;
+ for (i = 0; i < n_key_replacers; i++) {
+ if (pa_list_includes(request->padata,
+ preauth_systems[pa_order[i]].type))
+ continue;
+ for (j = i + 1; j < n_key_replacers; j++) {
+ if (pa_list_includes(request->padata,
+ preauth_systems[pa_order[j]].type)) {
+ k = pa_order[j];
+ pa_order[j] = pa_order[i];
+ pa_order[i] = k;
+ break;
+ }
+ }
+ }
+ }
#ifdef DEBUG
krb5_klog_syslog(LOG_DEBUG, "original preauth mechanism list:");
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id SAA02614; Mon, 30 Oct 2006 18:37:07 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k9UNab6X022524;
Mon, 30 Oct 2006 18:36:37 -0500
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k9UMQLbI001914
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 30 Oct 2006 17:26:21 -0500
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
k9UMQ4HK026412
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:26:04 -0500 (EST)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
by mit.edu (Spam Firewall) with ESMTP id 78D3885B1D
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:25:59 -0500 (EST)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254])
by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
k9UMPwrJ014954
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:25:58 -0500
Received: from localhost.localdomain (sparky.boston.redhat.com [172.16.80.55])
by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id
k9UMPw1q027469
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:25:58 -0500
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by localhost.localdomain (8.13.8/8.13.8) with ESMTP id k9UMHLB1008215
for <krb5-bugs@mit.edu>; Mon, 30 Oct 2006 17:17:21 -0500
Received: (from nalin@localhost)
by localhost.localdomain (8.13.8/8.13.8/Submit) id k9UMHLg8008214;
Mon, 30 Oct 2006 17:17:21 -0500
Date: Mon, 30 Oct 2006 17:17:21 -0500
From: Nalin Dahyabhai <nalin@redhat.com>
Message-Id: <200610302217.k9UMHLg8008214@localhost.localdomain>
To: krb5-bugs@mit.edu
Subject: crasher in preauth plugin support
X-send-pr-version: 3.99
Show quoted text
>Submitter-Id: net
>Originator: Nalin Dahyabhai
>Organization: Red Hat
>Confidential: no
>Synopsis: KDC can crash for certain client requests when preauth plugins are
used>Originator: Nalin Dahyabhai
>Organization: Red Hat
>Confidential: no
>Synopsis: KDC can crash for certain client requests when preauth plugins are
Show quoted text
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: trunk
>Environment:
System: Linux sparky 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: trunk
>Environment:
i686 athlon i386 GNU/Linux
Architecture: i686
X-Spam-Score: 0.00
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Mon, 30 Oct 2006 18:36:36 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Description:
If the client's AS request doesn't include any preauthenticationdata, and there is at least one module loaded which implements
preauthentication and advertises that it replaces the key which is
used to encrypt the reply, the KDC will crash when it attempts to
compare the preauth type which the module implements with one or
more of the types of preauth data which the client supplied.
Show quoted text
>How-To-Repeat:
Load the wpse module, and attempt to get credentials for a userwho does not have the requires_preauth flag set in the KDB entry.
Show quoted text
>Fix:
Index: src/kdc/kdc_preauth.c===================================================================
--- src/kdc/kdc_preauth.c (revision 18750)
+++ src/kdc/kdc_preauth.c (working copy)
@@ -721,25 +721,28 @@
}
}
- /* Now sort just the modules which replace the key, placing those which
- * handle the pa_data types provided by the client ahead of the others. */
- for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
- continue;
- }
- n_key_replacers = i;
- for (i = 0; i < n_key_replacers; i++) {
- if (pa_list_includes(request->padata,
- preauth_systems[pa_order[i]].type))
- continue;
- for (j = i + 1; j < n_key_replacers; j++) {
- if (pa_list_includes(request->padata,
- preauth_systems[pa_order[j]].type)) {
- k = pa_order[j];
- pa_order[j] = pa_order[i];
- pa_order[i] = k;
- break;
- }
- }
- }
+ if (request->padata != NULL) {
+ /* Now reorder the subset of modules which replace the key, bubbling
+ * those which handle pa_data types provided by the client ahead of the
+ * others. */
+ for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
+ continue;
+ }
+ n_key_replacers = i;
+ for (i = 0; i < n_key_replacers; i++) {
+ if (pa_list_includes(request->padata,
+ preauth_systems[pa_order[i]].type))
+ continue;
+ for (j = i + 1; j < n_key_replacers; j++) {
+ if (pa_list_includes(request->padata,
+ preauth_systems[pa_order[j]].type)) {
+ k = pa_order[j];
+ pa_order[j] = pa_order[i];
+ pa_order[i] = k;
+ break;
+ }
+ }
+ }
+ }
#ifdef DEBUG
krb5_klog_syslog(LOG_DEBUG, "original preauth mechanism list:");