Skip Menu |
 

Download (untitled) / with headers
text/plain 5.1KiB
From donn@u.washington.edu Tue Oct 5 17:42:50 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id RAA02833 for <bugs@RT-11.MIT.EDU>; Tue, 5 Oct 1999 17:42:49 -0400
Received: from jason02.u.washington.edu by MIT.EDU with SMTP
id AA02488; Tue, 5 Oct 99 17:42:42 EDT
Received: from saul8.u.washington.edu (donn@saul8.u.washington.edu [140.142.82.3])
by jason02.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) with ESMTP id OAA15038
for <krb5-bugs@mit.edu>; Tue, 5 Oct 1999 14:42:45 -0700
Received: (from donn@localhost)
by saul8.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) id OAA21265;
Tue, 5 Oct 1999 14:42:44 -0700 (PDT)
Message-Id: <199910052142.OAA21265@saul8.u.washington.edu>
Date: Tue, 5 Oct 1999 14:42:44 -0700 (PDT)
From: Donn Cave <donn@u.washington.edu>
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
Subject: login.c calls krb5_cc_destroy() on null pointer
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 763
>Category: krb5-appl
>Synopsis: login.c calls krb5_cc_destroy() on null pointer
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 05 17:43:00 EDT 1999
>Last-Modified:
>Originator: Donn Cave
>Organization:
University Computing Services
University of Washington
Show quoted text
>Release: krb5-1.1
>Environment:
System: AIX 4.2
Machine: RS/6000
Show quoted text
>Description:
In appl/bsd/login.c, lpass_ok branches out of the password check loop
before some Kerberos credentials logic that sets xtra_creds. Then
subsequent to that loop there's more Kerberos credentials logic that
expects the earlier logic to have executed, leaving a valid xtra_creds.
Since it's actually a null pointer, login aborts as a result and the
connection terminates.

Show quoted text
>How-To-Repeat:
Make sure password is the same for Kerberos and the local system.
Log in via telnet, without telnet service ticket so login will use
password to acquire TGT.

Show quoted text
>Fix:
I took the liberty of removing a comment that seems to be outdated,
and I moved the lpass_ok test down below the Kerberos stuff.
This should address today's actual problem, but the following diff
also shows the segfault area re-coded in a way that will be more
robust and also easier to extend or debug.

[Line numbers reflect a couple of other patches]

*** appl/bsd/login.c.dist Thu Sep 23 15:40:09 1999
--- appl/bsd/login.c Tue Oct 5 14:07:52 1999
***************
*** 1303,1321 ****
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
}

- /* Policy: If local password is good, user is good.
- We really can't trust the Kerberos password,
- because somebody on the net could spoof the
- Kerberos server (not easy, but possible).
- Some sites might want to use it anyways, in
- which case they should change this line
- to:
- if (kpass_ok)
- */
-
- if (lpass_ok)
- break;
-
if (got_v5_tickets) {
if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
NULL, &xtra_creds,
--- 1304,1309 ----
***************
*** 1338,1343 ****
--- 1326,1334 ----
}
#endif /* KRB4_GET_TICKETS */

+ if (lpass_ok)
+ break;
+
bad_login:
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);

***************
*** 1634,1652 ****
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
! if (retval = krb5_cc_default(kcontext, &ccache)) {
com_err(argv[0], retval, "while getting default ccache");
! } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
! com_err(argv[0], retval, "when initializing cache");
! } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
! com_err(argv[0], retval, "while storing credentials");
! } else if (xtra_creds &&
! (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
! ccache))) {
! com_err(argv[0], retval, "while storing credentials");
}
-
- krb5_cc_destroy(kcontext, xtra_creds);
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
--- 1625,1652 ----
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
! retval = krb5_cc_default(kcontext, &ccache);
! if (retval)
com_err(argv[0], retval, "while getting default ccache");
! else {
! retval = krb5_cc_initialize(kcontext, ccache, me);
! if (retval)
! com_err(argv[0], retval, "when initializing cache");
! else {
! retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
! if (retval)
! com_err(argv[0], retval, "while storing credentials");
! else {
! if (xtra_creds) {
! retval = krb5_cc_copy_creds(kcontext, xtra_creds,
! ccache);
! if (retval)
! com_err(argv[0], retval, "while storing credentials");
! krb5_cc_destroy(kcontext, xtra_creds);
! }
! }
! }
}
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
Show quoted text
>Audit-Trail:
>Unformatted: