Skip Menu |
 

Subject: segfault in gss_export_sec_context
Date: Mon, 1 Mar 2010 16:30:57 -0500
From: "Arlene Berry" <aberry@likewise.com>
To: <krb5-bugs@mit.edu>
Download (untitled) / with headers
text/plain 1.5KiB
When using gss_export_sec_context on a security context that was created
using impersonated credentials, gss_export_sec_context segfaults. The
problem is that it assumes that if ctx->initiator exists then
ctx->initiator->ad_context exists which doesn't appear to be the case
when impersonated credentials were used. The following changes fixed it
for us.

--- krb5/src/lib/gssapi/krb5/ser_sctx.c (revision 41102)
+++ krb5/src/lib/gssapi/krb5/ser_sctx.c (working copy)
@@ -357,7 +357,7 @@

initiator_name = ctx->initiate ? ctx->here : ctx->there;

- if (initiator_name) {
+ if (initiator_name && initiator_name->ad_context) {
kret = krb5_size_opaque(kcontext,
KV5M_AUTHDATA_CONTEXT,
initiator_name->ad_context,
@@ -534,7 +534,7 @@

initiator_name = ctx->initiate ? ctx->here :
ctx->there;

- if (initiator_name) {
+ if (initiator_name && initiator_name->ad_context) {
kret = krb5_externalize_opaque(kcontext,

KV5M_AUTHDATA_CONTEXT,

initiator_name->ad_context,
@@ -767,6 +767,8 @@
(krb5_pointer
*)&initiator_name->ad_context,
&bp,
&remain);
+ if (kret == EINVAL)
+ kret = 0;
}
}
/* Get trailer */
Where does the actual seg fault happen? krb5_authdata_size and
krb5_authdata_externalize both appear able to handle null arguments
without seg faulting.
Date: Fri, 5 Mar 2010 16:51:19 -0500
From: "Arlene Berry" <aberry@likewise.com>
To: <krb5-bugs@MIT.EDU>
Subject: [krbdev.mit.edu #6675] segfault in gss_export_sec_context
RT-Send-Cc:
In src/lib/krb5/krb/authdata.c context is NULL and is dereferenced:

static krb5_error_code
k5_ad_size(krb5_context kcontext,
krb5_authdata_context context,
krb5_flags flags,
size_t *sizep)
{
int i;
krb5_error_code code = 0;

*sizep += sizeof(krb5_int32); /* count */

for (i = 0; i < context->n_modules; i++) {


The back trace is:

#0 0x0045dfcf in k5_ad_size (kcontext=0x8054af8, context=0x0, flags=15,

sizep=0xbffff078)
at krb5/src/lib/krb5/krb/authdata.c:162
#1 0x0045f7a2 in krb5_authdata_context_size (kcontext=0x8054af8,
ptr=0x0,
sizep=0xbffff078)
at krb5/src/lib/krb5/krb/authdata.c:1131 (line 1067 in your trunk)
#2 0x00484310 in krb5_size_opaque (kcontext=0x8054af8,
odtype=-1760647364,
arg=0x0, sizep=0xbffff078)
at krb5/src/lib/krb5/krb/serialize.c:104 (line 105 in your trunk)
#3 0x006ed9c3 in kg_ctx_size (kcontext=0x8054af8, arg=0x8053700,
sizep=0xbffff0b4)
at krb5/src/lib/gssapi/krb5/ser_sctx.c:361
From: ghudson@mit.edu
Subject: SVN Commit

Don't attempt to serialize a NULL authdata context when serializing a
GSSAPI context (most often seen with initiator contexts). Patch from
aberry@likewise.com.


https://github.com/krb5/krb5/commit/55d479539cf47eb594bbdf31e8c351f74b060cf6
Commit By: ghudson
Revision: 24590
Changed Files:
U trunk/src/lib/gssapi/krb5/ser_sctx.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r24590 from trunk

------------------------------------------------------------------------
r24590 | ghudson | 2010-12-28 13:27:17 -0500 (Tue, 28 Dec 2010) | 8 lines

ticket: 6675
target_version: 1.9.1
tags: pullup

Don't attempt to serialize a NULL authdata context when serializing a
GSSAPI context (most often seen with initiator contexts). Patch from
aberry@likewise.com.

https://github.com/krb5/krb5/commit/d32e1e078b9caf55b930f69362443b39c02f6111
Commit By: tlyu
Revision: 24607
Changed Files:
U branches/krb5-1-9/src/lib/gssapi/krb5/ser_sctx.c