Skip Menu |
 

Subject: krb5_cc_default_name() can return NULL, but is passed directly to strcmp() (causing crash)
CC: datallah@pidgin.im
Download (untitled) / with headers
text/plain 2.4KiB
I've been running into an issue where occasionally when there's a
network change, I'm running into a crash because a NULL pointer is
passed to strcmp().

To provide some background, I'm using the MIT Kerberos for Windows
GSSAPI (version 3.2.2) functionality in the GSSAPI plugin for
Cyrus-SASL.

Immediately before the crash, an error popup is displayed saying:

Internal credentials cache error
(Kerberos error 196)
krb5_cc_next_cred() failed

The crash occurs as soon as I dismiss the popup.

A partially complete stacktrace is below; I'm not sure why it isn't
unwinding the last frames correctly to get to where the strcmp is
actually called, I've seen this sometimes with the utility i'm using
(exchndl.dll from the mingw-tools).
I think it is somehow getting messed up by the leash dll being loaded
dynamically.
-------------------
Error occured on Tuesday, June 10, 2008 at 08:26:04.

Windows Version 5.1 Build 2600 Service Pack 2

C:\devel\pidgin-devel\build\pidgin.exe caused an Access Violation at
location 77c47740 in module C:\WINDOWS\system32\msvcrt.dll Reading
from location 00000000.

Registers:
eax=00000000 ebx=06d3dc28 ecx=0022ea2c edx=00000000 esi=071642bc
edi=0022eb2c
eip=77c47740 esp=0022e9d4 ebp=0022eb2c iopl=0 nv up ei pl zr na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00210246

Call stack:
C:\WINDOWS\system32\msvcrt.dll [7.0.2600.2180]
77C47740 C:\WINDOWS\system32\msvcrt.dll strcmp
C:\devel\pidgin-devel\build\gssapi32.dll [1.6.3.16]
1C002BF1 C:\devel\pidgin-devel\build\gssapi32.dll acquire_init_cred
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\acquire_cred.c:306
1C001FA5 C:\devel\pidgin-devel\build\gssapi32.dll
krb5_gss_acquire_cred
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\acquire_cred.c:560
1C001620 C:\devel\pidgin-devel\build\gssapi32.dll kg_get_defcred
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\gssapi_krb5.c:148
1C00466C C:\devel\pidgin-devel\build\gssapi32.dll
krb5_gss_init_sec_context
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\init_sec_context.c:882
1C00A4CF C:\devel\pidgin-devel\build\gssapi32.dll
k5glue_init_sec_context
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\krb5\krb5_gss_glue.c:680
1C00D83C C:\devel\pidgin-devel\build\gssapi32.dll
gss_init_sec_context
c:\temp\kfw\src\athena\auth\krb5\src\lib\gssapi\mechglue\g_init_sec_context.c:225
C:\devel\pidgin-devel\build\sasl2\saslGSSAPI.dll [2.1.22.0]
01AD295A C:\devel\pidgin-devel\build\sasl2\saslGSSAPI.dll
I do not see an obvious location in the gss code or leash code in which
the output of krb5_cc_default_name() is used when NULL.

If you create a debug build so that the optimization is turned off you
might get a back stack state.
Date: Sun, 20 Jul 2008 17:09:39 -0400
From: "Daniel Atallah" <daniel.atallah@gmail.com>
To: krb5-bugs@mit.edu
Subject: [krbdev.mit.edu #5980] krb5_cc_default_name() can return NULL, but is passed directly to strcmp() (causing crash)
RT-Send-Cc:
Sorry for taking so long to reply - for some reason, I didn't receive
a notification that there had been a reply.

I've been unable to get a decent stack trace unfortunately, but
grepping through the source, I can see some possible culprits:

src\athena\auth\krb5\src\lib\krb5\ccache\ccdefault.c:85
src\athena\auth\krb5\src\lib\krb5\ccache\ccdefault.c:105
src\athena\auth\krb5\src\lib\krb5\ccache\ccdefault.c:55

Hopefully this makes it to RT successfully.
From: jaltman@mit.edu
Subject: SVN Commit


ccdefault.c:
krb5_cc_default_name() is permitted to return a NULL
pointer as a valid output. Passing a NULL pointer to
strcmp() will result in an exception as NULL is not
a valid input parameter to strcmp().

Save the output of krb5_cc_default_name() to a variable
and modify the conditional to set the new default ccache
name in the case where there is no existing default
ccache name.


Commit By: jaltman



Revision: 20551
Changed Files:
U trunk/src/lib/krb5/ccache/ccdefault.c
From: raeburn@mit.edu
Subject: SVN Commit

Another check for null return from krb5_cc_default_name.
Commit By: raeburn



Revision: 20561
Changed Files:
U trunk/src/lib/krb5/ccache/ccdefault.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r20551 from trunk

r20551@cathode-dark-space: jaltman | 2008-07-21 13:44:43 -0400
ticket: 5080
tags: pullup

ccdefault.c:
krb5_cc_default_name() is permitted to return a NULL
pointer as a valid output. Passing a NULL pointer to
strcmp() will result in an exception as NULL is not
a valid input parameter to strcmp().

Save the output of krb5_cc_default_name() to a variable
and modify the conditional to set the new default ccache
name in the case where there is no existing default
ccache name.




Commit By: tlyu



Revision: 20564
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/ccache/ccdefault.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r20561 from trunk
(includes unrelated cleanup of dead assignment)

r20561@cathode-dark-space: raeburn | 2008-07-21 16:59:24 -0400
ticket: 5980

Another check for null return from krb5_cc_default_name.


Commit By: tlyu



Revision: 20565
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/ccache/ccdefault.c