From djm@web.us.uu.net Fri Apr 14 12:32:47 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03215
for <bugs@RT-11.MIT.EDU>; Fri, 14 Apr 2000 12:32:46 -0400 (EDT)
Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP
id AA04731; Fri, 14 Apr 00 12:32:41 EDT
Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP
(peer crosschecked as: dagger.web.us.uu.net [208.211.134.28])
id MAA11593; Fri, 14 Apr 2000 12:32:44 -0400 (EDT)
Received: by dagger.web.us.uu.net
id MAA28553; Fri, 14 Apr 2000 12:32:21 -0400
Message-Id: <MAA28553.200004141632@dagger.web.us.uu.net>
Date: Fri, 14 Apr 2000 12:32:21 -0400
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: overly restrictive buffer in interfaces list
X-Send-Pr-Version: 3.99
System: SunOS prod-303a.tco3.web.wcom.net 5.6 Generic_105181-05 sun4u sparc
Architecture: sparc
machine has >25 IP addresses configured on it, at least on
Solaris 2.6.
on our hosts with >25 IP addresses configured, until this patch
was installed.
This fix is from walrus@ans.net (Michael Shiplett), one of UUNET's
security engineers.
diff --exclude=*,v --exclude=CVS -ur /homes/elves/djm/src/krb5-1.1.1/src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c
--- /homes/elves/djm/src/krb5-1.1.1/src/lib/krb5/os/localaddr.c Fri Dec 17 15:48:09 1999
+++ src/lib/krb5/os/localaddr.c Tue Mar 28 04:34:55 2000
@@ -115,22 +115,50 @@
struct ifreq *ifr, ifreq;
struct ifconf ifc;
int s, code, n, i;
- char buf[1024];
- krb5_address *addr_temp [ 1024/sizeof(struct ifreq) ];
+ int ifnum;
+ krb5_address **addr_temp;
int n_found;
int mem_err = 0;
- memset(buf, 0, sizeof(buf));
- ifc.ifc_len = sizeof(buf);
- ifc.ifc_buf = buf;
-
s = socket (USE_AF, USE_TYPE, USE_PROTO);
if (s < 0)
return SOCKET_ERRNO;
+#ifdef SIOCGIFNUM
+ code = ioctl (s, SIOCGIFNUM, &ifnum);
+ if (code < 0) {
+ int retval = errno;
+ closesocket (s);
+ return retval;
+ }
+#else
+ ifnum = 50; /* Twice the old value. */
+#endif
+
+ addr_temp = malloc(ifnum * sizeof(addr_temp));
+ if (addr_temp == NULL)
+ {
+ int retval = errno;
+ closesocket (s);
+ return retval;
+ }
+
+ ifc.ifc_len = ifnum * sizeof(struct ifreq);
+ ifc.ifc_buf = malloc(ifc.ifc_len);
+ if (ifc.ifc_buf == NULL)
+ {
+ int retval = errno;
+ free(addr_temp);
+ closesocket (s);
+ return retval;
+ }
+ memset(ifc.ifc_buf, 0, ifc.ifc_len);
+
code = ioctl (s, SIOCGIFCONF, (char *)&ifc);
if (code < 0) {
int retval = errno;
+ free(ifc.ifc_buf);
+ free(addr_temp);
closesocket (s);
return retval;
}
@@ -232,6 +260,8 @@
krb5_xfree(addr_temp[i]);
addr_temp[i] = 0;
}
+ free(ifc.ifc_buf);
+ free(addr_temp);
return ENOMEM;
}
@@ -239,6 +269,8 @@
(*addr)[i] = addr_temp[i];
}
(*addr)[n_found] = 0;
+ free(ifc.ifc_buf);
+ free(addr_temp);
return 0;
}
From: Ken Raeburn <raeburn@MIT.EDU>
To: djm@web.us.uu.net
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-libs/840: overly restrictive buffer in interfaces list
Date: 21 Apr 2000 09:02:22 -0400
Wow, someone else actually ran into that?
For 1.2 we've got it set up to loop calling ioctl with bigger and
bigger buffers until the kernel appears not to need any more (which so
far we're determining only through heuristics). A beta should be out
RSN; please let me know if it doesn't work for you.
Ken
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03215
for <bugs@RT-11.MIT.EDU>; Fri, 14 Apr 2000 12:32:46 -0400 (EDT)
Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP
id AA04731; Fri, 14 Apr 00 12:32:41 EDT
Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP
(peer crosschecked as: dagger.web.us.uu.net [208.211.134.28])
id MAA11593; Fri, 14 Apr 2000 12:32:44 -0400 (EDT)
Received: by dagger.web.us.uu.net
id MAA28553; Fri, 14 Apr 2000 12:32:21 -0400
Message-Id: <MAA28553.200004141632@dagger.web.us.uu.net>
Date: Fri, 14 Apr 2000 12:32:21 -0400
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: overly restrictive buffer in interfaces list
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 840
>Category: krb5-libs
>Synopsis: fixed-size buffer breaks with >25 IP addresses
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Apr 14 12:33:01 EDT 2000
>Last-Modified: Fri Apr 21 09:03:00 EDT 2000
>Originator: David MacKenzie
>Organization:
UUNET Technologies>Category: krb5-libs
>Synopsis: fixed-size buffer breaks with >25 IP addresses
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Apr 14 12:33:01 EDT 2000
>Last-Modified: Fri Apr 21 09:03:00 EDT 2000
>Originator: David MacKenzie
>Organization:
Show quoted text
>Release: krb5-1.1.1
>Environment:
>Environment:
System: SunOS prod-303a.tco3.web.wcom.net 5.6 Generic_105181-05 sun4u sparc
Architecture: sparc
Show quoted text
>Description:
An arbitrary fixed-length buffer breaks Kerberos when themachine has >25 IP addresses configured on it, at least on
Solaris 2.6.
Show quoted text
>How-To-Repeat:
I believe the symptom was that Kerberos authentication failedon our hosts with >25 IP addresses configured, until this patch
was installed.
Show quoted text
>Fix:
This fix is from walrus@ans.net (Michael Shiplett), one of UUNET's
security engineers.
diff --exclude=*,v --exclude=CVS -ur /homes/elves/djm/src/krb5-1.1.1/src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c
--- /homes/elves/djm/src/krb5-1.1.1/src/lib/krb5/os/localaddr.c Fri Dec 17 15:48:09 1999
+++ src/lib/krb5/os/localaddr.c Tue Mar 28 04:34:55 2000
@@ -115,22 +115,50 @@
struct ifreq *ifr, ifreq;
struct ifconf ifc;
int s, code, n, i;
- char buf[1024];
- krb5_address *addr_temp [ 1024/sizeof(struct ifreq) ];
+ int ifnum;
+ krb5_address **addr_temp;
int n_found;
int mem_err = 0;
- memset(buf, 0, sizeof(buf));
- ifc.ifc_len = sizeof(buf);
- ifc.ifc_buf = buf;
-
s = socket (USE_AF, USE_TYPE, USE_PROTO);
if (s < 0)
return SOCKET_ERRNO;
+#ifdef SIOCGIFNUM
+ code = ioctl (s, SIOCGIFNUM, &ifnum);
+ if (code < 0) {
+ int retval = errno;
+ closesocket (s);
+ return retval;
+ }
+#else
+ ifnum = 50; /* Twice the old value. */
+#endif
+
+ addr_temp = malloc(ifnum * sizeof(addr_temp));
+ if (addr_temp == NULL)
+ {
+ int retval = errno;
+ closesocket (s);
+ return retval;
+ }
+
+ ifc.ifc_len = ifnum * sizeof(struct ifreq);
+ ifc.ifc_buf = malloc(ifc.ifc_len);
+ if (ifc.ifc_buf == NULL)
+ {
+ int retval = errno;
+ free(addr_temp);
+ closesocket (s);
+ return retval;
+ }
+ memset(ifc.ifc_buf, 0, ifc.ifc_len);
+
code = ioctl (s, SIOCGIFCONF, (char *)&ifc);
if (code < 0) {
int retval = errno;
+ free(ifc.ifc_buf);
+ free(addr_temp);
closesocket (s);
return retval;
}
@@ -232,6 +260,8 @@
krb5_xfree(addr_temp[i]);
addr_temp[i] = 0;
}
+ free(ifc.ifc_buf);
+ free(addr_temp);
return ENOMEM;
}
@@ -239,6 +269,8 @@
(*addr)[i] = addr_temp[i];
}
(*addr)[n_found] = 0;
+ free(ifc.ifc_buf);
+ free(addr_temp);
return 0;
}
Show quoted text
>Audit-Trail:
From: Ken Raeburn <raeburn@MIT.EDU>
To: djm@web.us.uu.net
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-libs/840: overly restrictive buffer in interfaces list
Date: 21 Apr 2000 09:02:22 -0400
Show quoted text
> An arbitrary fixed-length buffer breaks Kerberos when the
> machine has >25 IP addresses configured on it, at least on
> Solaris 2.6.
> machine has >25 IP addresses configured on it, at least on
> Solaris 2.6.
Wow, someone else actually ran into that?
For 1.2 we've got it set up to loop calling ioctl with bigger and
bigger buffers until the kernel appears not to need any more (which so
far we're determining only through heuristics). A beta should be out
RSN; please let me know if it doesn't work for you.
Ken
Show quoted text
>Unformatted: