Skip Menu |
 

Subject: init_rtree() assertion triggered in kvno
Download (untitled) / with headers
text/plain 2.5KiB
The following is a stack trace when assert(ts->kdcs > 1); was triggered.
I have a crash dump containing only stack information and no process
memory. (Issue 956262-4-0434615306). The sources match kfw 3.2.2 (krb5
1.6.3)

krb5_64!init_rtree(struct tr_state * ts = 0x00000000`0012f820, struct
krb5_principal_data * client = 0x00000000`0015c980, struct
krb5_principal_data * server = 0x00000000`0015ca70)+0xd7
[k:\temp\kfw\build\pismere\athena\auth\krb5\src\lib\krb5\krb\gc_frm_kdc.c
@ 346]

krb5_64!do_traversal(struct _krb5_context * ctx = 0x00000000`0028f570,
struct _krb5_ccache * ccache = 0x00000000`0015d540, struct
krb5_principal_data * client = 0x00000000`0015c980, struct
krb5_principal_data * server = 0x00000000`0015ca70, struct _krb5_creds *
out_cc_tgt = 0x00000000`0012fa80, struct _krb5_creds ** out_tgt =
0x00000000`0012fbe0, struct _krb5_creds *** out_kdc_tgts =
0x00000000`0012fcb0)+0x9c
[k:\temp\kfw\build\pismere\athena\auth\krb5\src\lib\krb5\krb\gc_frm_kdc.c
@ 710]

krb5_64!krb5_get_cred_from_kdc_opt(struct _krb5_context * context =
0x00000000`0028f570, struct _krb5_ccache * ccache = 0x00000000`0015d540,
struct _krb5_creds * in_cred = 0x00000000`0012fdd0, struct _krb5_creds
** out_cred = 0x00000000`0012fda8, struct _krb5_creds *** tgts =
0x00000000`0012fcb0, int kdcopt = 0)+0xbf1
[k:\temp\kfw\build\pismere\athena\auth\krb5\src\lib\krb5\krb\gc_frm_kdc.c
@ 1085]

krb5_64!krb5_get_cred_from_kdc(struct _krb5_context * context =
0x00000000`0028f570, struct _krb5_ccache * ccache = 0x00000000`0015d540,
struct _krb5_creds * in_cred = 0x00000000`0012fdd0, struct _krb5_creds
** out_cred = 0x00000000`0012fda8, struct _krb5_creds *** tgts =
0x00000000`0012fcb0)+0x43
[k:\temp\kfw\build\pismere\athena\auth\krb5\src\lib\krb5\krb\gc_frm_kdc.c
@ 1187]

krb5_64!krb5_get_credentials(struct _krb5_context * context =
0x00000000`0028f570, int options = 0, struct _krb5_ccache * ccache =
0x00000000`0015d540, struct _krb5_creds * in_creds =
0x00000000`0012fdd0, struct _krb5_creds ** out_creds =
0x00000000`0012fda8)+0x1a5
[k:\temp\kfw\build\pismere\athena\auth\krb5\src\lib\krb5\krb\get_creds.c
@ 144]

kvno!do_v5_kvno(int count = 1, char ** names = 0x00000000`00156ae8, char
* ccachestr = 0x00000000`00000000 "", char * etypestr =
0x00000000`00000000 "", char * keytab_name = 0x00000000`00000000 "",
char * sname = 0x00000000`00000000 "")+0x398
[k:\temp\kfw\build\pismere\athena\auth\krb5\src\clients\kvno\kvno.c @ 268]

kvno!main(int argc = 2, char ** argv = 0x00000000`00156ae0)+0x22f
[k:\temp\kfw\build\pismere\athena\auth\krb5\src\clients\kvno\kvno.c @ 119]
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5876] init_rtree() assertion triggered in kvno
From: Tom Yu <tlyu@MIT.EDU>
Date: Mon, 28 Jan 2008 19:43:19 -0500
RT-Send-Cc:
Please provide additional information, such as client and server
principal names (with realm), and exactly how the realm locations are
configured (krb5.conf including capaths, dns, etc.). Basically
walk_realm_tree is returning a list of fewer than 2 KDCs, which should
never happen.
Date: Mon, 28 Jan 2008 17:06:59 -0800
From: Jeffrey Altman <jaltman@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5876] init_rtree() assertion triggered in kvno
RT-Send-Cc:
Tom Yu via RT wrote:
Show quoted text
> Please provide additional information, such as client and server
> principal names (with realm), and exactly how the realm locations are
> configured (krb5.conf including capaths, dns, etc.). Basically
> walk_realm_tree is returning a list of fewer than 2 KDCs, which should
> never happen.

Tom:

I wish I could provide you everything you desire. As I said in the
original submission, there is no other data available.

I have given you the entire stack trace and that is all you get.
This is a crash report that was filed with Microsoft by some random
machine on the internet via Windows Error Reporting.

I agree it should never happen but obviously it is since the assert()
was triggered.

Jeffrey Altman
After #6966, the TGS code path uses k5_client_realm_path, which
absolutely cannot return less than two elements, so I'm pretty sure this
bug can't happen any more.

#7668 points out a case where krb5_walk_realm_tree can return a one-
element list, so that may help explain how this crash could have happened
with the old code.