Skip Menu |
 

To: kfw-bugs@mit.edu
Subject: Bug in MIT Kerberos for Windows Version 3.2.2
From: David R Boldt <dboldt@usgs.gov>
Date: Thu, 2 Dec 2010 14:59:00 -0500

This morning KFW 3.2.2 began crashing immediately after the packets containing DNS resolution
results are returned to kinit.  We have an Active Directory infrastructure with 103 KDCs; Is there a limit
in the libraries that we may be encroaching on?


                                        -- David Boldt
                                            <dboldt@usgs.gov>


  "If I'd asked my customers what they wanted, they'd have said a faster horse."
        -- Henry Ford
Date: Fri, 03 Dec 2010 09:38:45 -0500
From: Jeffrey Altman <jaltman@secure-endpoints.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6832] Bug in MIT Kerberos for Windows Version 3.2.2
RT-Send-Cc:
On 12/3/2010 9:27 AM, David R Boldt via RT wrote:
Show quoted text
>
> This morning KFW 3.2.2 began crashing immediately after the packets
> containing DNS resolution
> results are returned to kinit. We have an Active Directory infrastructure
> with 103 KDCs; Is there a limit
> in the libraries that we may be encroaching on?

I suspect that the limit that is being reached is the maximum response
size in the wshelp32.dll resolver interface.

A crash dump would be helpful in identifying the actual cause.
Download signature.asc
application/pgp-signature 487B

Message body not shown because it is not plain text.

To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6832] Bug in MIT Kerberos for Windows Version 3.2.2
From: David R Boldt <dboldt@usgs.gov>
Date: Fri, 3 Dec 2010 10:48:12 -0500
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.8KiB

> On 12/3/2010 9:27 AM, David R Boldt via RT wrote:
> >
> > This morning KFW 3.2.2 began crashing immediately after the packets
> > containing DNS resolution
> > results are returned to kinit.  We have an Active Directory infrastructure
> > with 103 KDCs; Is there a limit
> > in the libraries that we may be encroaching on?
>
> I suspect that the limit that is being reached is the maximum response
> size in the wshelp32.dll resolver interface.
>
> A crash dump would be helpful in identifying the actual cause.

Function     Arg 1     Arg 2     Arg 3   Source
wshelp32!do_res_search+290     0146da74     00000001     00000021    
wshelp32!res_search+209     0146dcb4     00000001     00000021    
krb5_32!res_search+30     0146dcb4     00000001     00000021    
krb5_32!krb5int_dns_init+f4     0146dc90     0146dcb4     00000001    
krb5_32!krb5int_make_srv_query_realm+119     00f0c6f4     1c0884a0     1c088d80    
krb5_32!krb5_locate_srv_dns_1+27     00f0c6f4     1c0884a0     1c088d80    
krb5_32!dns_locate_server+eb     00f92908     00f0c6f4     0146df1c    
krb5_32!krb5int_locate_server+90     00f92908     00f0c6f4     0146e018    
krb5_32!krb5_locate_kdc+28     00f92908     00f0c6f4     0146e018    
krb5_32!krb5_sendto_kdc+132     00f92908     00effa28     00f0c6f4    
krb5_32!send_as_request+8b     00f92908     0146e1b0     0146e160    
krb5_32!krb5_get_init_creds+692     00f92908     0146f0a8     00f0c6f0    
krb5_32!krb5_get_init_creds_password+10a     00f92908     0146f0a8     00f0c6f0    
krb5cred!khm_krb5_kinit+3b9     00000000     00eff600     00000000    
krb5cred!k5_kinit_fiber_proc+12f     00000000     00000000     00000000    
kernel32!GetModuleFileNameA+1b4     01227004     00000000     00000000    
kernel32!ConvertThreadToFiber+93     00000000     00000000     00000000    
 

                                        -- David Boldt
                                            <dboldt@usgs.gov>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6832] Bug in MIT Kerberos for Windows Version 3.2.2
From: David R Boldt <dboldt@usgs.gov>
Date: Thu, 9 Dec 2010 11:05:55 -0500
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.3KiB

Update on the USGS Kerberos for Windows issue.

We've been able to replicate the KfW crash outside of Active Directory, using a huge set of SRV DNS records on a local DNS server.

The Department of Interior Active Directory team continues to vary the amount of domain controllers in the GS domain. We must be very close to the DNS buffer limit in KfW, because occasionally this crash fails to occur.

We've traced the crash to a static buffer size in wshelper, a MIT-developed Winsock wrapper. This means that the problem is local to Windows.

We have been able to build a 32-bit wshelper DLL that contains a larger buffer. In testing, this fixes the problem in the production AD and test environments.

There are a few problems with building MIT's Kerberos for Windows. The KfW project's source assumes that we are using a specific version of MS Visual Studio (2003). This version is old, and any attempts to build KfW with newer versions are not likely to be successful. We were able to tweak the wshelper code in order to build the specific DLL in a newer MS Visual Studio. Jeff Altman has commented that newer VS versions will probably not be able to build the entire KfW package ( http://mailman.mit.edu/pipermail/kfwdev/2007-July/000073.html ).


                                        -- David Boldt
                                            <dboldt@usgs.gov>

Date: Thu, 09 Dec 2010 11:09:52 -0500
From: Jeffrey Altman <jaltman@secure-endpoints.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6832] Bug in MIT Kerberos for Windows Version 3.2.2
RT-Send-Cc:
On 12/9/2010 11:06 AM, David R Boldt via RT wrote:

Show quoted text
> We have been able to build a 32-bit wshelper DLL that contains a larger
> buffer. In testing, this fixes the problem in the production AD and test
> environments.


Increasing the buffer size does not "fix" the problem. It avoids
running beyond the buffer. A fix for the problem would be proper
boundary testing to ensure that the code does not write to or read from
beyond the available buffer size.
Download signature.asc
application/pgp-signature 487B

Message body not shown because it is not plain text.