Skip Menu |
 

From: Robbie Harwood <rharwood@redhat.com>
To: krb5-bugs@mit.edu
Subject: Incorrect error handling in OTP plugin
Date: Thu, 21 Jun 2018 14:08:30 -0400
In otp_state.c:callback(), if we did not receive an accept packet, but
were not out of tokens, we invoke request_send() and then fall through
to the error case. This results in two things happening:

- First, we yield a failure. If request_send() succeeded, then we
erroneously report failure. But if request_send() has failed, we
report the failure again, and request_send() has already freed the
request object (making this a use-after-free).

- Second, we call request_free(). However, since request_send()
may have already freed the request, this is a double-free.

Thanks,
--Robbie
Download signature.asc
application/pgp-signature 832B

Message body not shown because it is not plain text.

From: ghudson@mit.edu
Subject: git commit

Correctly handle fallback in KDC OTP callback

In otp_state.c:callback(), avoid invoking the failure callback when we
fall back to the next token. Since request_send() consumes the
request, don't try to free it.

[ghudson@mit.edu: added test case; edited commit message]

https://github.com/krb5/krb5/commit/09c9b7d6f64767429e90ad11a529e6ffa9538043
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 09c9b7d6f64767429e90ad11a529e6ffa9538043
Branch: master
src/plugins/preauth/otp/otp_state.c | 1 +
src/tests/t_otp.py | 28 +++++++++++++++++++++++++---
2 files changed, 26 insertions(+), 3 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Correctly handle fallback in KDC OTP callback

In otp_state.c:callback(), avoid invoking the failure callback when we
fall back to the next token. Since request_send() consumes the
request, don't try to free it.

[ghudson@mit.edu: added test case; edited commit message]

(cherry picked from commit 09c9b7d6f64767429e90ad11a529e6ffa9538043)

https://github.com/krb5/krb5/commit/4d8cd7daa15abf6a9ed4c46334968aef7d099b83
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 4d8cd7daa15abf6a9ed4c46334968aef7d099b83
Branch: krb5-1.16
src/plugins/preauth/otp/otp_state.c | 1 +
src/tests/t_otp.py | 28 +++++++++++++++++++++++++---
2 files changed, 26 insertions(+), 3 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Correctly handle fallback in KDC OTP callback

In otp_state.c:callback(), avoid invoking the failure callback when we
fall back to the next token. Since request_send() consumes the
request, don't try to free it.

[ghudson@mit.edu: added test case; edited commit message]

(cherry picked from commit 09c9b7d6f64767429e90ad11a529e6ffa9538043)

https://github.com/krb5/krb5/commit/cf00f0538b6b6e45171739a49424281a1802bb26
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: cf00f0538b6b6e45171739a49424281a1802bb26
Branch: krb5-1.15
src/plugins/preauth/otp/otp_state.c | 1 +
src/tests/t_otp.py | 28 +++++++++++++++++++++++++---
2 files changed, 26 insertions(+), 3 deletions(-)