Skip Menu |
 

To: krb5-bugs@mit.edu
From: "Jeffrey Arbuckle" <jeffa.lans@gmail.com>
Subject: segfault in krb5-1.17.1/src/lib/krb5/krb/authdata.c
Date: Wed, 18 Dec 2019 11:40:29 -0700
Download (untitled) / with headers
text/plain 1.1KiB
I have run into a segfault bug with krb5-1.17.1 and earlier versions at:

lib/krb5/krb/authdata.c, line 562 :

          for (n_elements = 0; elements[n_elements] != NULL; n_elements++);

The segfault occurs because elements is NULL.

This is due to the earlier call to k5_unwrap_cammac_svc() that returns
KRB5KRB_AP_ERR_BAD_INTEGRITY and leaves elements as NULL:

lib/krb5/krb/authdata.c, line 556 :

        ret = k5_unwrap_cammac_svc(kcontext, cammacs[i], key, &elements);
          if (ret && ret != KRB5KRB_AP_ERR_BAD_INTEGRITY)

The issue is fixable with the following patch, but the bypassing of the
KRB5KRB_AP_ERR_BAD_INTEGRITY result is suspect:

--- krb5-1.17.1/src/lib/krb5/krb/authdata.c     2019-12-11 10:13:10.000000000 -0700
+++ krb5-1.17.1/src/lib/krb5/krb/authdata.c.    2019-12-18 11:27:06.555957314 -0700
@@ -558,6 +558,8 @@
             goto cleanup;
         ret = 0;

+        if ( elements == NULL ) continue;
+
         /* Add the verified elements to list and free the container array. */
         for (n_elements = 0; elements[n_elements] != NULL; n_elements++);
         new_list = realloc(list, (count + n_elements + 1) * sizeof(*list));


--Jeffrey
Subject: git commit
From: ghudson@mit.edu

Fix handling of invalid CAMMAC service verifier

In extract_cammacs(), avoid a null dereference if the CAMMAC service
verifier is invalid or the CAMMAC is empty.

https://github.com/krb5/krb5/commit/8451ff6ed57361de585a35f35a39c54dc48172c7
Author: Jeffrey Arbuckle <jeffa.lans@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 8451ff6ed57361de585a35f35a39c54dc48172c7
Branch: master
src/lib/krb5/krb/authdata.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix handling of invalid CAMMAC service verifier

In extract_cammacs(), avoid a null dereference if the CAMMAC service
verifier is invalid or the CAMMAC is empty.

(cherry picked from commit 8451ff6ed57361de585a35f35a39c54dc48172c7)

https://github.com/krb5/krb5/commit/ad105209b4701d51437d1ffcc75ee3aa1e45f5ad
Author: Jeffrey Arbuckle <jeffa.lans@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: ad105209b4701d51437d1ffcc75ee3aa1e45f5ad
Branch: krb5-1.17
src/lib/krb5/krb/authdata.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)