Skip Menu |
 

From: Alexander Karaivanov <alexander.karaivanov@karoshealth.com>
To: krb5-bugs@mit.edu
Subject: Bug in mslsa ccahe
Date: Thu, 30 Mar 2017 23:23:51 +0200
Hi

I believe I've found a bug in mit krb. The bug is in krb5_lcc_data()
in src/lib/krb5/ccache/cc_mslsa.c.

When krb5_lcc_data is allocated data->flags is not initialized. As
result krb5_lcc_next_cred() may not copy the ticket if flags might
happened to have KRB5_TC_NOTICKET bit randomly set.

Here is a simple fix:

diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 7a80470..c741a50 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -1553,6 +1553,7 @@ krb5_lcc_resolve (krb5_context context,
krb5_ccache *id, const char *residual)
data->LogonHandle = LogonHandle;
data->PackageId = PackageId;
data->princ = NULL;
+ data->flags = 0;

data->cc_name = (char *)malloc(strlen(residual)+1);
if (data->cc_name == NULL) {


Regards

Alex.

--
Alexander D. Karaivanov, System Developer | Karos Health, Krumtappen 4,3.th,2500 Valby, Denmark
Phone:+ 45 46550444, Mobile: +45 40995501 | skype: alexander.karaivanov, gtalk: alexander.karaivanov@karoshealth.com
Date: Wed, 5 Apr 2017 21:47:08 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #8567] Bug in mslsa ccahe
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.1KiB
On Fri, Mar 31, 2017 at 12:06:53AM -0400, Alexander Karaivanov via RT wrote:
Show quoted text
> Hi
>
> I believe I've found a bug in mit krb. The bug is in krb5_lcc_data()
> in src/lib/krb5/ccache/cc_mslsa.c.
>
> When krb5_lcc_data is allocated data->flags is not initialized. As
> result krb5_lcc_next_cred() may not copy the ticket if flags might
> happened to have KRB5_TC_NOTICKET bit randomly set.
>
> Here is a simple fix:
>
> diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
> index 7a80470..c741a50 100644
> --- a/src/lib/krb5/ccache/cc_mslsa.c
> +++ b/src/lib/krb5/ccache/cc_mslsa.c
> @@ -1553,6 +1553,7 @@ krb5_lcc_resolve (krb5_context context,
> krb5_ccache *id, const char *residual)
> data->LogonHandle = LogonHandle;
> data->PackageId = PackageId;
> data->princ = NULL;
> + data->flags = 0;
>
> data->cc_name = (char *)malloc(strlen(residual)+1);
> if (data->cc_name == NULL) {

One could argue whether we should just zero the entire allocation
(and drop the princ and flags initialization as redundant), but on
first look this seems to generally be the right thing to do.

-Ben
From: Alexander Karaivanov <alexander.karaivanov@karoshealth.com>
Subject: Re: [krbdev.mit.edu #8567] Bug in mslsa ccahe
To: rt-comment@krbdev.mit.edu
Date: Thu, 6 Apr 2017 11:18:45 +0200
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.6KiB
On 04/06/2017 04:47 AM, Benjamin Kaduk via RT wrote:
Show quoted text
> On Fri, Mar 31, 2017 at 12:06:53AM -0400, Alexander Karaivanov via RT wrote:
>> Hi
>>
>> I believe I've found a bug in mit krb. The bug is in krb5_lcc_data()
>> in src/lib/krb5/ccache/cc_mslsa.c.
>>
>> When krb5_lcc_data is allocated data->flags is not initialized. As
>> result krb5_lcc_next_cred() may not copy the ticket if flags might
>> happened to have KRB5_TC_NOTICKET bit randomly set.
>>
>> Here is a simple fix:
>>
>> diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
>> index 7a80470..c741a50 100644
>> --- a/src/lib/krb5/ccache/cc_mslsa.c
>> +++ b/src/lib/krb5/ccache/cc_mslsa.c
>> @@ -1553,6 +1553,7 @@ krb5_lcc_resolve (krb5_context context,
>> krb5_ccache *id, const char *residual)
>> data->LogonHandle = LogonHandle;
>> data->PackageId = PackageId;
>> data->princ = NULL;
>> + data->flags = 0;
>>
>> data->cc_name = (char *)malloc(strlen(residual)+1);
>> if (data->cc_name == NULL) {
> One could argue whether we should just zero the entire allocation
> (and drop the princ and flags initialization as redundant), but on
> first look this seems to generally be the right thing to do.
>
> -Ben
That was my first thought too, as to be on the safe side, but then I thought, one better decide for every (potentially added in future new) variable of the
structure what is the correct default/initial value... Zero may or may not be the correct one.

Alex.


--
Alexander D. Karaivanov, System Developer
Karos Health, Krumtappen 4,3.th,2500 Valby, Denmark | Phone:+ 45 46550444, Mobile: +45 40995501
skype: alexander.karaivanov, gtalk: alexander.karaivanov@karoshealth.com
From: ghudson@mit.edu
Subject: git commit

Fix uninitialized flags in MSLSA ccache type

The flags field in krb5_lcc_data is not initialized in
krb5_lcc_resolve(), so krb5_lcc_next_cred() can sometimes fail to
include a ticket when retrieving a ccache entry. This results in a
"Request did not supply a ticket" error from k5_make_tgs_req() when
trying to use the credential.

[ghudson@mit.edu: condensed commit message]

https://github.com/krb5/krb5/commit/e5a78d4c90d9d6968c94b0c07f2cd3835f02aa5d
Author: Alexander Karaivanov <alexander.karaivanov@karoshealth.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: e5a78d4c90d9d6968c94b0c07f2cd3835f02aa5d
Branch: master
src/lib/krb5/ccache/cc_mslsa.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix uninitialized flags in MSLSA ccache type

The flags field in krb5_lcc_data is not initialized in
krb5_lcc_resolve(), so krb5_lcc_next_cred() can sometimes fail to
include a ticket when retrieving a ccache entry. This results in a
"Request did not supply a ticket" error from k5_make_tgs_req() when
trying to use the credential.

[ghudson@mit.edu: condensed commit message]

(cherry picked from commit e5a78d4c90d9d6968c94b0c07f2cd3835f02aa5d)

https://github.com/krb5/krb5/commit/4d2d6096c181eb2ec79597dc94d48b31af606615
Author: Alexander Karaivanov <alexander.karaivanov@karoshealth.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 4d2d6096c181eb2ec79597dc94d48b31af606615
Branch: krb5-1.14
src/lib/krb5/ccache/cc_mslsa.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix uninitialized flags in MSLSA ccache type

The flags field in krb5_lcc_data is not initialized in
krb5_lcc_resolve(), so krb5_lcc_next_cred() can sometimes fail to
include a ticket when retrieving a ccache entry. This results in a
"Request did not supply a ticket" error from k5_make_tgs_req() when
trying to use the credential.

[ghudson@mit.edu: condensed commit message]

(cherry picked from commit e5a78d4c90d9d6968c94b0c07f2cd3835f02aa5d)

https://github.com/krb5/krb5/commit/d1f8fc8a7532d26b3b44a050b3ef71491f5a224d
Author: Alexander Karaivanov <alexander.karaivanov@karoshealth.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: d1f8fc8a7532d26b3b44a050b3ef71491f5a224d
Branch: krb5-1.15
src/lib/krb5/ccache/cc_mslsa.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)