Skip Menu |
 

History Show all quoted textShow full headers
# Mon Aug 19 14:17:03 2002 The RT System itself - Default: Import/ changed from (no value) to (no value)
Download (untitled) / with headers
text/plain 10.5KiB
From dgranzow@gunzour.isbu.digex.net Tue Feb 23 11:34:02 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id LAA09614 for <bugs@RT-11.MIT.EDU>; Tue, 23 Feb 1999 11:34:01 -0500
Received: from gunzour.isbu.digex.net by MIT.EDU with SMTP
id AA15158; Tue, 23 Feb 99 11:34:32 EST
Received: from localhost (dgranzow@localhost)
by gunzour.isbu.digex.net (8.9.1b+Sun/8.9.1) with ESMTP id LAA03099
for <krb5-bugs@mit.edu>; Tue, 23 Feb 1999 11:33:56 -0500 (EST)
Message-Id: <Pine.GSO.4.05.9902231127480.11295-100000@gunzour.isbu.digex.net>
Date: Tue, 23 Feb 1999 11:33:56 -0500 (EST)
From: Doug Granzow <dgranzow@gunzour.isbu.digex.net>
To: krb5-bugs@MIT.EDU
Subject: kadmind problem

Show quoted text
>Number: 694
>Category: krb5-admin
>Synopsis: kadmind can be crashed by client
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Feb 23 11:35:00 EST 1999
>Last-Modified: Tue Sep 18 17:36:06 EDT 2001
>Originator: Super-User
>Organization:
DIGEX, Inc.
Show quoted text
>Release: krb5-1.0.5
>Environment:

System: SunOS krb5-slave.digex.net.belt 5.6 Generic_105181-11 sun4u sparc SUNW,Ultra-1
Architecture: sun4

Show quoted text
>Description:
An authenticated kadmin user can cause the kadmind server to exit
by typing control-c immediately after typing "listprincs".

Show quoted text
>How-To-Repeat:
On any system, run kadmin. Once authenticated, enter the "listprincs"
command, then *immediately* type control-c before any response is
returned. The kadmind process on the kdc exits with nothing logged
to the log file. A core file is created in the root directory (/).

Show quoted text
>Fix:
Not known

Show quoted text
>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Mon Mar 1 21:31:11 1999
Responsible-Changed-Why:

refiled

State-Changed-From-To: open-feedback
State-Changed-By: tlyu
State-Changed-When: Mon Mar 1 21:31:46 1999
State-Changed-Why:

probable patch generated and queued for 1.0.6



From: Tom Yu <tlyu@MIT.EDU>
To: dgranzow@gunzour.isbu.digex.net
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-admin/694: kadmind can be crashed by client
Date: Mon, 1 Mar 1999 21:34:07 -0500 (EST)

Thanks for the report. Please try applying this patch and seeing if
you can still reproduce the problem. Also, it would be nice if you
could get a stack trace of the coredump, to ascertain whether it is
this particular problem or whether it is the SIGPIPE problem, which
I'm not certain whether or not we've fixed in 1.0.5. Thanks.

---Tom

Index: ovsec_kadmd.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v
retrieving revision 1.58.2.1
retrieving revision 1.58.2.2
diff -u -r1.58.2.1 -r1.58.2.2
--- ovsec_kadmd.c 1996/11/19 22:09:47 1.58.2.1
+++ ovsec_kadmd.c 1999/03/02 02:28:31 1.58.2.2
@@ -1,11 +1,11 @@
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
- * $Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.1 1996/11/19 22:09:47 bjaspan Exp $
+ * $Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.2 1999/03/02 02:28:31 tlyu Exp $
*/

#if !defined(lint) && !defined(__CODECENTER__)
-static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.1 1996/11/19 22:09:47 bjaspan Exp $";
+static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.2 1999/03/02 02:28:31 tlyu Exp $";
#endif

#include <stdio.h>
@@ -635,33 +635,58 @@
struct svc_req *rqst, struct rpc_msg *msg, char
*data)
{
- static const char *const proc_names[] = {
- "kadm5_create_principal",
- "kadm5_delete_principal",
- "kadm5_modify_principal",
- "kadm5_rename_principal",
- "kadm5_get_principal",
- "kadm5_chpass_principal",
- "kadm5_randkey_principal",
- "kadm5_create_policy",
- "kadm5_delete_policy",
- "kadm5_modify_policy",
- "kadm5_get_policy",
- "kadm5_get_privs",
+ struct procnames {
+ rpc_u_int32 proc;
+ const char *proc_name;
};
+ static const struct procnames proc_names[] = {
+ {1, "CREATE_PRINCIPAL"},
+ {2, "DELETE_PRINCIPAL"},
+ {3, "MODIFY_PRINCIPAL"},
+ {4, "RENAME_PRINCIPAL"},
+ {5, "GET_PRINCIPAL"},
+ {6, "CHPASS_PRINCIPAL"},
+ {7, "CHRAND_PRINCIPAL"},
+ {8, "CREATE_POLICY"},
+ {9, "DELETE_POLICY"},
+ {10, "MODIFY_POLICY"},
+ {11, "GET_POLICY"},
+ {12, "GET_PRIVS"},
+ {13, "INIT"},
+ {14, "GET_PRINCS"},
+ {15, "GET_POLS"},
+ };
+#define NPROCNAMES (sizeof (proc_names) / sizeof (struct procnames))
OM_uint32 minor;
gss_buffer_desc client, server;
gss_OID gss_type;
char *a;
+ rpc_u_int32 proc;
+ int i;
+ const char *procname;

(void) gss_display_name(&minor, client_name, &client, &gss_type);
(void) gss_display_name(&minor, server_name, &server, &gss_type);
a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);

- krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
- "claimed client = %s, server = %s, addr = %s",
- proc_names[msg->rm_call.cb_proc], client.value,
- server.value, a);
+ proc = msg->rm_call.cb_proc;
+ procname = NULL;
+ for (i = 0; i < NPROCNAMES; i++) {
+ if (proc_names[i].proc == proc) {
+ procname = proc_names[i].proc_name;
+ break;
+ }
+ }
+ if (procname != NULL)
+ krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
+ "claimed client = %s, server = %s, addr = %s",
+ procname, client.value,
+ server.value, a);
+ else
+ krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
+ "claimed client = %s, server = %s, addr = %s",
+ proc, client.value,
+ server.value, a);

(void) gss_release_buffer(&minor, &client);
(void) gss_release_buffer(&minor, &server);

From: Doug Granzow <dgranzow@gunzour.isbu.digex.net>
To: Tom Yu <tlyu@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-admin/694: kadmind can be crashed by client
Date: Wed, 3 Mar 1999 10:23:26 -0500 (EST)

Yes, this works! :) I tried the SIGPIPE patch I was given earlier and
that didn't seem to fix it. But after applying this patch and compiling
it, I can't crash kadmind anymore.

Thanks very much for your help. Let me know if you want any more
debugging info from me...

Doug

On Mon, 1 Mar 1999, Tom Yu wrote:

Show quoted text
> Thanks for the report. Please try applying this patch and seeing if
> you can still reproduce the problem. Also, it would be nice if you
> could get a stack trace of the coredump, to ascertain whether it is
> this particular problem or whether it is the SIGPIPE problem, which
> I'm not certain whether or not we've fixed in 1.0.5. Thanks.
>
> ---Tom
>
> Index: ovsec_kadmd.c
> ===================================================================
> RCS file: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v
> retrieving revision 1.58.2.1
> retrieving revision 1.58.2.2
> diff -u -r1.58.2.1 -r1.58.2.2
> --- ovsec_kadmd.c 1996/11/19 22:09:47 1.58.2.1
> +++ ovsec_kadmd.c 1999/03/02 02:28:31 1.58.2.2
> @@ -1,11 +1,11 @@
> /*
> * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
> *
> - * $Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.1 1996/11/19 22:09:47 bjaspan Exp $
> + * $Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.2 1999/03/02 02:28:31 tlyu Exp $
> */
>
> #if !defined(lint) && !defined(__CODECENTER__)
> -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.1 1996/11/19 22:09:47 bjaspan Exp $";
> +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/ovsec_kadmd.c,v 1.58.2.2 1999/03/02 02:28:31 tlyu Exp $";
> #endif
>
> #include <stdio.h>
> @@ -635,33 +635,58 @@
> struct svc_req *rqst, struct rpc_msg *msg, char
> *data)
> {
> - static const char *const proc_names[] = {
> - "kadm5_create_principal",
> - "kadm5_delete_principal",
> - "kadm5_modify_principal",
> - "kadm5_rename_principal",
> - "kadm5_get_principal",
> - "kadm5_chpass_principal",
> - "kadm5_randkey_principal",
> - "kadm5_create_policy",
> - "kadm5_delete_policy",
> - "kadm5_modify_policy",
> - "kadm5_get_policy",
> - "kadm5_get_privs",
> + struct procnames {
> + rpc_u_int32 proc;
> + const char *proc_name;
> };
> + static const struct procnames proc_names[] = {
> + {1, "CREATE_PRINCIPAL"},
> + {2, "DELETE_PRINCIPAL"},
> + {3, "MODIFY_PRINCIPAL"},
> + {4, "RENAME_PRINCIPAL"},
> + {5, "GET_PRINCIPAL"},
> + {6, "CHPASS_PRINCIPAL"},
> + {7, "CHRAND_PRINCIPAL"},
> + {8, "CREATE_POLICY"},
> + {9, "DELETE_POLICY"},
> + {10, "MODIFY_POLICY"},
> + {11, "GET_POLICY"},
> + {12, "GET_PRIVS"},
> + {13, "INIT"},
> + {14, "GET_PRINCS"},
> + {15, "GET_POLS"},
> + };
> +#define NPROCNAMES (sizeof (proc_names) / sizeof (struct procnames))
> OM_uint32 minor;
> gss_buffer_desc client, server;
> gss_OID gss_type;
> char *a;
> + rpc_u_int32 proc;
> + int i;
> + const char *procname;
>
> (void) gss_display_name(&minor, client_name, &client, &gss_type);
> (void) gss_display_name(&minor, server_name, &server, &gss_type);
> a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
>
> - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
> - "claimed client = %s, server = %s, addr = %s",
> - proc_names[msg->rm_call.cb_proc], client.value,
> - server.value, a);
> + proc = msg->rm_call.cb_proc;
> + procname = NULL;
> + for (i = 0; i < NPROCNAMES; i++) {
> + if (proc_names[i].proc == proc) {
> + procname = proc_names[i].proc_name;
> + break;
> + }
> + }
> + if (procname != NULL)
> + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
> + "claimed client = %s, server = %s, addr = %s",
> + procname, client.value,
> + server.value, a);
> + else
> + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
> + "claimed client = %s, server = %s, addr = %s",
> + proc, client.value,
> + server.value, a);
>
> (void) gss_release_buffer(&minor, &client);
> (void) gss_release_buffer(&minor, &server);
>

State-Changed-From-To: feedback-closed
State-Changed-By: tlyu
State-Changed-When: Tue Sep 18 17:35:32 2001
State-Changed-Why:
Fixed long ago.

Show quoted text
>Unformatted:
# Mon Aug 19 14:17:03 2002 The RT System itself - Component krb5-admin added
# Mon Aug 19 14:17:04 2002 The RT System itself - Version_reported 1.0.5 added
# Wed Mar 12 00:31:48 2003 tlyu (Taylor Yu) - Version_Fixed 1.2 added