From: | "Krier, Richard" <Richard.Krier@globalfoundries.com> |
To: | "krb5-bugs@mit.edu" <krb5-bugs@mit.edu> |
Date: | Wed, 8 Sep 2010 09:26:46 -0500 |
Subject: | Segmentation fault in krb library (sn2princ.c) if realm not resolved |
CC: | "Adhikari, Diwas" <diwas.adhikari@globalfoundries.com>, "Pinto, Kevin" <kevin.pinto@globalfoundries.com> |
To: krb5-bugs@mit.edu
Subject: Segmentation fault in krb library (sn2princ.c) if realm not resolved
From: Richard.Krier@globalfoundries.com
Reply-To: Richard.Krier@globalfoundries.com
Cc:
X-send-pr-version: 3.99
>Submitter-Id:
>Originator: Richard Krier
>Organization: GlobalFoundries
>Confidential: no
>Synopsis: Segmentation fault in sn2princ.c if realm not resolved. Need checks for zero-length string and/or NULL pointer
>Severity: serious
>Priority: medium
>Category: krb5-bug
>Class: krb5-bug
>Release: 1.6.3, 1.8.3
>Environment:
<machine, os, target, libraries (multiple lines)>
System: AIX 5.3, Kerberos libraries built in 64-bit mode
Machine:
>Description:
1. sname_to_princ() (sn2princ.c) calls krb5_get_host_realm() to resolve kerberos realm from host name.
2. If realm unresolved, krb5_get_host_realm() returns a zero-length string, i.e. 1 byte containing just ‘\0’
3. sname_to_princ() then performs inadequate check for realm resolution:
PROBLEM IS HERE: if (!hrealms[0]) { /* this only checks if ptr is NULL, but not if string is zero-length */
free(remote_host);
krb5_xfree(hrealms);
return KRB5_ERR_HOST_REALM_UNKNOWN;
}
3. sname_to_princ() then calls krb5_build_principal(), principal not created in this case, *ret_princ is NULL
ALSO HERE: No check is made to determine if *ret_princ is NULL before using it to make an assignment as point 4.
4. sname_to_princ() gets segmentation fault trying to use null *ret_princ to assign ‘type’
>How-To-Repeat:
N/A
>Fix:
In file sn2princ.c:
1. Modify the realm-check above to check for either a NULL pointer or a zero-length string:
if ( (!hrealms[0]) || (0==strlen(hrealms[0]) ) /* or perhaps (‘\0’==hrealms[0]) */
2. Add a check for *ret_princ being NULL after calling krb5_build_principal()
if (NULL==*ret_princ{
free(remote_host);
krb5_xfree(hrealms);
return KRB5_ERR_HOST_REALM_UNKNOWN;
}