From krb5-bugs-incoming-bounces@PCH.mit.edu Fri Mar 12 17:09:51 2010
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 6F5423F0EA;
Fri, 12 Mar 2010 17:09:51 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CM9pvo013889;
Fri, 12 Mar 2010 17:09:51 -0500
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CK6PZa027250
for <krb5-bugs-incoming@PCH.mit.edu>; Fri, 12 Mar 2010 15:06:25 -0500
Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU
[18.7.68.37])
by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id o2CK5ubG002176
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:25 -0500
X-AuditID: 12074425-b7d00ae000002295-a4-4b9a9ec07b72
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by dmz-mailsec-scanner-8.mit.edu (Symantec Brightmail Gateway) with
SMTP id 62.03.08853.1CE9A9B4; Fri, 12 Mar 2010 15:06:25 -0500 (EST)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com
(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2CK6OnX015470
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:24 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o2CK6NEF027566
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:23 -0500
Received: from blade.bos.redhat.com (localhost [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o2CK6M6f022913
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:22 -0500
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o2CK6M6N022912;
Fri, 12 Mar 2010 15:06:22 -0500
Date: Fri, 12 Mar 2010 15:06:22 -0500
Message-Id: <201003122006.o2CK6M6N022912@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: krb5_get_init_creds_password() can crash with NULL options and
expired keys
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Brightmail-Tracker: AAAAAhM9I9YTPgcy
X-Mailman-Approved-At: Fri, 12 Mar 2010 17:09:50 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
System: Linux blade.bos.redhat.com 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
if it was dealing with an expired key, could try to dereference its
"options" argument to read flags before checking that "options"
wasn't NULL.
options value, which ensures that when we go to check the flags, we
get the library defaults if we were passed NULL.
Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c (revision 23799)
+++ src/lib/krb5/krb/gic_pwd.c (working copy)
@@ -123,6 +123,7 @@
int tries;
krb5_creds chpw_creds;
krb5_get_init_creds_opt *chpw_opts = NULL;
+ krb5_gic_opt_ext *opte = NULL;
krb5_data pw0, pw1;
char banner[1024], pw0array[1024], pw1array[1024];
krb5_prompt prompt[2];
@@ -218,7 +219,8 @@
* to prompt. Prompting is only disabled if the option has been set
* and the value has been set to false.
*/
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+ krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL);
+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
goto cleanup;
/* ok, we have an expired password. Give the user a few chances
@@ -332,6 +334,8 @@
&use_master, &as_reply);
cleanup:
+ if (opte != options)
+ krb5_get_init_creds_opt_free(context, opte);
krb5int_set_prompt_types(context, 0);
/* if getting the password was successful, then check to see if the
password is about to expire, and warn if so */
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 6F5423F0EA;
Fri, 12 Mar 2010 17:09:51 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CM9pvo013889;
Fri, 12 Mar 2010 17:09:51 -0500
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CK6PZa027250
for <krb5-bugs-incoming@PCH.mit.edu>; Fri, 12 Mar 2010 15:06:25 -0500
Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU
[18.7.68.37])
by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id o2CK5ubG002176
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:25 -0500
X-AuditID: 12074425-b7d00ae000002295-a4-4b9a9ec07b72
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by dmz-mailsec-scanner-8.mit.edu (Symantec Brightmail Gateway) with
SMTP id 62.03.08853.1CE9A9B4; Fri, 12 Mar 2010 15:06:25 -0500 (EST)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com
(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2CK6OnX015470
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:24 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o2CK6NEF027566
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:23 -0500
Received: from blade.bos.redhat.com (localhost [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o2CK6M6f022913
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:22 -0500
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o2CK6M6N022912;
Fri, 12 Mar 2010 15:06:22 -0500
Date: Fri, 12 Mar 2010 15:06:22 -0500
Message-Id: <201003122006.o2CK6M6N022912@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: krb5_get_init_creds_password() can crash with NULL options and
expired keys
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Brightmail-Tracker: AAAAAhM9I9YTPgcy
X-Mailman-Approved-At: Fri, 12 Mar 2010 17:09:50 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator: Nalin Dahyabhai
>Organization:
>Confidential: no
>Synopsis: krb5_get_init_creds_password() can crash with NULL options and expired keys
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.8
>Environment:
>Originator: Nalin Dahyabhai
>Organization:
>Confidential: no
>Synopsis: krb5_get_init_creds_password() can crash with NULL options and expired keys
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.8
>Environment:
System: Linux blade.bos.redhat.com 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
Show quoted text
>Description:
Bert Barbé noted, on kerberos@, that krb5_get_init_creds_password(),if it was dealing with an expired key, could try to dereference its
"options" argument to read flags before checking that "options"
wasn't NULL.
Show quoted text
>Fix:
This patch creates an krb5_gic_opt_ext structure using the passed-inoptions value, which ensures that when we go to check the flags, we
get the library defaults if we were passed NULL.
Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c (revision 23799)
+++ src/lib/krb5/krb/gic_pwd.c (working copy)
@@ -123,6 +123,7 @@
int tries;
krb5_creds chpw_creds;
krb5_get_init_creds_opt *chpw_opts = NULL;
+ krb5_gic_opt_ext *opte = NULL;
krb5_data pw0, pw1;
char banner[1024], pw0array[1024], pw1array[1024];
krb5_prompt prompt[2];
@@ -218,7 +219,8 @@
* to prompt. Prompting is only disabled if the option has been set
* and the value has been set to false.
*/
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+ krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL);
+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
goto cleanup;
/* ok, we have an expired password. Give the user a few chances
@@ -332,6 +334,8 @@
&use_master, &as_reply);
cleanup:
+ if (opte != options)
+ krb5_get_init_creds_opt_free(context, opte);
krb5int_set_prompt_types(context, 0);
/* if getting the password was successful, then check to see if the
password is about to expire, and warn if so */