Skip Menu |
 

Download (untitled) / with headers
text/plain 7.5KiB
From mann@milwaukee.pa.dec.com Thu Oct 12 01:18:12 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id BAA29742
for <bugs@RT-11.MIT.EDU>; Thu, 12 Oct 2000 01:18:08 -0400 (EDT)
Received: from mail1.digital.com by MIT.EDU with SMTP
id AA13320; Thu, 12 Oct 00 01:17:54 EDT
Received: from src-mail.pa.dec.com (src-mail.pa.dec.com [16.4.16.35])
by mail1.digital.com (8.9.2/8.9.3/WV2.0h) with ESMTP id WAA07511
for <krb5-bugs@mit.edu>; Wed, 11 Oct 2000 22:18:01 -0700 (PDT)
Received: by src-mail.pa.dec.com; id WAA06963; Wed, 11 Oct 2000 22:18:01 -0700 (PDT)
Received: (from mann@localhost)
by milwaukee.pa.dec.com (8.11.0/8.11.0) id e9C5I0c32399;
Wed, 11 Oct 2000 22:18:00 -0700
Message-Id: <200010120518.e9C5I0c32399@milwaukee.pa.dec.com>
Date: Wed, 11 Oct 2000 22:18:00 -0700
From: Tim Mann <mann@pa.dec.com>
Reply-To: mann@pa.dec.com
To: krb5-bugs@MIT.EDU
Cc:
Subject: sample/sclient crashes in krb5_init_context
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 895
>Category: krb5-appl
>Synopsis: sample/sclient crashes in krb5_init_context
>Confidential: no
>Severity: critical
>Priority: low
>Responsible: epeisach
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Oct 12 01:19:00 EDT 2000
>Last-Modified: Tue Jan 30 15:33:55 EST 2001
>Originator: Tim Mann
>Organization:
Tim Mann tim.mann@compaq.com http://www.tim-mann.org
Compaq Computer Corporation, Systems Research Center, Palo Alto, CA
Show quoted text
>Release: krb5-1.2.1
>Environment:
System: Linux milwaukee 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown
Architecture: i686

Show quoted text
>Description:
The sample Kerberos client "sclient" dies with a segmentation fault:
[mann@milwaukee mann]$ gdb sclient
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) run localhost 12345 sample
Starting program: /usr/kerberos/bin/sclient localhost 12345 sample
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x40050486 in krb5_auth_con_free () from /usr/kerberos/lib/libkrb5.so.3
(gdb) where
#0 0x40050486 in krb5_auth_con_free () from /usr/kerberos/lib/libkrb5.so.3
#1 0x80491a5 in krb5_init_context ()
#2 0x400d0b65 in __libc_start_main (main=0x8048cec <krb5_init_context+244>,
argc=4, ubp_av=0xbffff8d4, init=0x8048988,
fini=0x804943c <krb5_init_context+2116>, rtld_fini=0x4000df24 <_dl_fini>,
stack_end=0xbffff8cc) at ../sysdeps/generic/libc-start.c:111
(gdb) quit

Show quoted text
>How-To-Repeat:
Get sserver running so that the client has something to connect to, and
then try to run sclient as shown above. Bam.

Show quoted text
>Fix:
The problem seems to be that sclient declares its krb5_context on the stack
and does not initialize it to all zeros. Adding one line of code before
the call to krb5_init_context makes it work:
memset(&context, 0, sizeof(context));
Show quoted text
>Audit-Trail:

From: tim.mann@compaq.com
To: krb5-bugs@MIT.EDU, krb5-unassigned@rt-11.mit.edu
Cc: mann@pa.dec.com
Subject: Re: krb5-appl/895: sample/sclient crashes in krb5_init_context
Date: Wed, 11 Oct 2000 22:35:40 -0700 (PDT)

I forgot to mention that I noticed another bug in sclient. If authentication
fails, it tries to free a null auth_context before it gets around to printing
the error message. Here is a patch that includes both fixes:

--- /vesta/src.dec.com/test2/kerbtest/checkout/1/17/src/sclient/sclient.c Wed Oct 11 19:57:23 2000
+++ sclient.c Wed Oct 11 21:36:08 2000
@@ -77,6 +77,7 @@
exit(1);
}

+ memset(&context, 0, sizeof(context));
retval = krb5_init_context(&context);
if (retval) {
com_err(argv[0], retval, "while initializing krb5");
@@ -176,7 +177,7 @@
krb5_free_principal(context, server); /* finished using it */
krb5_free_principal(context, client);
krb5_cc_close(context, ccdef);
- krb5_auth_con_free(context, auth_context);
+ if (auth_context) krb5_auth_con_free(context, auth_context);

if (retval && retval != KRB5_SENDAUTH_REJECTED) {
com_err(argv[0], retval, "while using sendauth");


Tim Mann tim.mann@compaq.com http://www.tim-mann.org
Compaq Computer Corporation, Systems Research Center, Palo Alto, CA

Responsible-Changed-From-To: krb5-unassigned->epeisach
Responsible-Changed-By: epeisach
Responsible-Changed-When: Fri Oct 13 16:55:22 2000
Responsible-Changed-Why:
I will examine and deal.

State-Changed-From-To: open-analyzed
State-Changed-By: epeisach
State-Changed-When: Fri Oct 13 17:06:20 2000
State-Changed-Why:
The auth_context freeing is a problem - to init_context is not.

From: Ezra Peisach <epeisach@MIT.EDU>
To: mann@pa.dec.com
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/895: sample/sclient crashes in krb5_init_context
Date: Fri, 13 Oct 2000 17:06:02 -0400

I have looked at your problem report.

Based on my reading of the code, krb5_init_context never calls
krb5_auth_con_free. I am wondering if there might be some sort of
stack corruption causing a weird stack trace.

I agree with you about the calling of krb5_auth_con_free should be
conditional of it being set.

Looking at krb5_init_context, it calls init_common().
init_common() dereferences the pointer to the context that you pass in and
zero's it. Your krb5_context is now NULL.
init_common() than builds up a context (which is immediatly zeroed), and continues down.

If everything works, your pointer to your context is again dereferenced and
your context value changed.

(Remember that a krb5_context is a pointer to an opaque structure).


Having the krb5_context on the stack is fine. There are many
aplicatications that do this - see kdestroy.

I therefore ask, if you only change the code not to free the auth_context
unless set - do you still get the crash?

Ezra


From: tim.mann@compaq.com
To: Ezra Peisach <epeisach@MIT.EDU>
Cc: mann@pa.dec.com, krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/895: sample/sclient crashes in krb5_init_context
Date: Fri, 13 Oct 2000 14:43:28 -0700 (PDT)

Show quoted text
> Based on my reading of the code, krb5_init_context never calls
> krb5_auth_con_free. I am wondering if there might be some sort of
> stack corruption causing a weird stack trace.

Hmm, that is strange. The stack trace definitely misled me. I was also
misled by the fact that the Kerberos API document distributed with 1.2.1
says that the context parameter to krb5_init_context is IN/OUT. If that
were true, passing in a pointer to uninitialized memory could be expected
to cause a crash. Apparently the API document should say that the parameter
is OUT only.

Show quoted text
> I therefore ask, if you only change the code not to free the auth_context
> unless set - do you still get the crash?

No, that fixes it. It's clear that your analysis is correct.

Thanks for the quick response!

--Tim

Tim Mann tim.mann@compaq.com http://www.tim-mann.org
Compaq Computer Corporation, Systems Research Center, Palo Alto, CA
State-Changed-From-To: analyzed-closed
State-Changed-By: epeisach
State-Changed-When: Tue Jan 30 15:33:14 EST 2001
State-Changed-Why:
The changes have been committed to the source tree and will be available
in a patch release.

Show quoted text
>Unformatted:
Tim Mann