From craziboy77@hotmail.com Tue Dec 5 08:54:32 2000
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id IAA07016
for <bugs@RT-11.MIT.EDU>; Tue, 5 Dec 2000 08:54:31 -0500 (EST)
Received: from hotmail.com (f164.law11.hotmail.com [64.4.17.164])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id IAA06498
for <krb5-bugs@mit.edu>; Tue, 5 Dec 2000 08:54:31 -0500 (EST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Tue, 5 Dec 2000 05:54:00 -0800
Received: from 202.165.0.37 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 05 Dec 2000 13:54:00 GMT
Message-Id: <F1646hdn1KVHYS8YV2b0000e3f4@hotmail.com>
Date: Tue, 05 Dec 2000 13:54:00 -0000
From: "Crazy Boy" <craziboy77@hotmail.com>
To: krb5-bugs@mit.edu
Subject: NULL deref from empty returned ETYPE_INFO
Architecture: sun4
list of supported authentication types (a
KRB5_PADATA_ETYPE_INFO message with no data(?)). When this is
processed to select the first supported
encryption type, there is no check that any types are actually
supported; the first one is selected (blindly), causing a null
pointer deference when the list returned is empty (in
preauth2.c, line 533).
The desired outcome in this situation is to return the "no
supported encryption types" message to the user rather than
crashing :).
This bug also exists in krb5-1.0.5 code (I have checked this)
and so I assume also in 1.1.
Administrator password. Promote it to be a domain controller.
I believe this is when the kerberos database is created. At
this point, there are no kerberos principals on the Win2K
machine, and trying to kinit Administrator@WIN2K.KERBEROS.REALM
causes a seg fault as described.
Alternatively, if you already have a W2K KDC running, add new
user into Active Directory via LDAP queries, but do not set a
password for the user.
Try to kinit newuser@WIN2K.KERBEROS.REALM, and you will see
the same behaviour.
treat an empty received supported encryption type list as if no
one had been received at all. This patch fixes the bug
encountered when talking to Win2000 in preauth2.c, and also a
similar problem in preauth.c.
--8<--
diff -r -u krb5-1.2.1.orig/src/lib/krb5/krb/preauth.c
krb5-1.2.1.w2k/src/lib/krb5/krb/preauth.c
--- krb5-1.2.1.orig/src/lib/krb5/krb/preauth.c Fri Jun 30 12:28:13 2000
+++ krb5-1.2.1.w2k/src/lib/krb5/krb/preauth.c Tue Dec 5 22:37:59 2000
@@ -172,6 +172,10 @@
retval = decode_krb5_etype_info(&scratch, &etype_info);
if (retval)
return retval;
+ if (etype_info[0] == NULL) {
+ krb5_free_etype_info(context, etype_info);
+ etype_info = 0;
+ }
}
}
diff -r -u krb5-1.2.1.orig/src/lib/krb5/krb/preauth2.c
krb5-1.2.1.w2k/src/lib/krb5/krb/preauth2.c
--- krb5-1.2.1.orig/src/lib/krb5/krb/preauth2.c Fri Jun 30 12:28:13 2000
+++ krb5-1.2.1.w2k/src/lib/krb5/krb/preauth2.c Tue Dec 5 22:44:56 2000
@@ -530,6 +530,11 @@
}
return ret;
}
+ if (etype_info[0] == NULL) {
+ krb5_free_etype_info(context, etype_info);
+ etype_info = NULL;
+ break;
+ }
salt->data = (char *) etype_info[0]->salt;
salt->length = etype_info[0]->length;
*etype = etype_info[0]->etype;
Responsible-Changed-From-To: gnats-admin->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Tue Jan 30 16:47:45 2001
Responsible-Changed-Why:
refiled, reformatted
State-Changed-From-To: open-feedback
State-Changed-By: tlyu
State-Changed-When: Tue Jan 30 18:31:31 2001
State-Changed-Why:
patch committed
From: Tom Yu <tlyu@MIT.EDU>
To: craziboy77@hotmail.com
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-libs/903: NULL deref from empty returned ETYPE_INFO
Date: Tue, 30 Jan 2001 18:33:19 -0500 (EST)
Thanks for the bug report; I've committed a patch, and it should be in
the upcoming release.
---Tom
State-Changed-From-To: feedback-closed
State-Changed-By: tlyu
State-Changed-When: Fri Sep 14 19:52:18 2001
State-Changed-Why:
Fixed in 1.2.2.
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id IAA07016
for <bugs@RT-11.MIT.EDU>; Tue, 5 Dec 2000 08:54:31 -0500 (EST)
Received: from hotmail.com (f164.law11.hotmail.com [64.4.17.164])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id IAA06498
for <krb5-bugs@mit.edu>; Tue, 5 Dec 2000 08:54:31 -0500 (EST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Tue, 5 Dec 2000 05:54:00 -0800
Received: from 202.165.0.37 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 05 Dec 2000 13:54:00 GMT
Message-Id: <F1646hdn1KVHYS8YV2b0000e3f4@hotmail.com>
Date: Tue, 05 Dec 2000 13:54:00 -0000
From: "Crazy Boy" <craziboy77@hotmail.com>
To: krb5-bugs@mit.edu
Subject: NULL deref from empty returned ETYPE_INFO
Show quoted text
>Number: 903
>Category: krb5-libs
>Synopsis: NULL deref from empty returned ETYPE_INFO
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Dec 5 08:55:01 EST 2000
>Last-Modified: Fri Sep 14 19:52:30 EDT 2001
>Originator: Crazy Boy
>Organization:
>Release: krb5-1.2.1
>Environment:
System: SunOS buildhost 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10>Category: krb5-libs
>Synopsis: NULL deref from empty returned ETYPE_INFO
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Dec 5 08:55:01 EST 2000
>Last-Modified: Fri Sep 14 19:52:30 EDT 2001
>Originator: Crazy Boy
>Organization:
>Release: krb5-1.2.1
>Environment:
Architecture: sun4
Show quoted text
>Description:
A Windows 2000 KDC will in some circumstances return an emptylist of supported authentication types (a
KRB5_PADATA_ETYPE_INFO message with no data(?)). When this is
processed to select the first supported
encryption type, there is no check that any types are actually
supported; the first one is selected (blindly), causing a null
pointer deference when the list returned is empty (in
preauth2.c, line 533).
The desired outcome in this situation is to return the "no
supported encryption types" message to the user rather than
crashing :).
This bug also exists in krb5-1.0.5 code (I have checked this)
and so I assume also in 1.1.
Show quoted text
>How-To-Repeat:
Install a Windows 2000 Server, being careful to not change theAdministrator password. Promote it to be a domain controller.
I believe this is when the kerberos database is created. At
this point, there are no kerberos principals on the Win2K
machine, and trying to kinit Administrator@WIN2K.KERBEROS.REALM
causes a seg fault as described.
Alternatively, if you already have a W2K KDC running, add new
user into Active Directory via LDAP queries, but do not set a
password for the user.
Try to kinit newuser@WIN2K.KERBEROS.REALM, and you will see
the same behaviour.
Show quoted text
>Fix:
Apply the following patch which makes the preauthentication codetreat an empty received supported encryption type list as if no
one had been received at all. This patch fixes the bug
encountered when talking to Win2000 in preauth2.c, and also a
similar problem in preauth.c.
--8<--
diff -r -u krb5-1.2.1.orig/src/lib/krb5/krb/preauth.c
krb5-1.2.1.w2k/src/lib/krb5/krb/preauth.c
--- krb5-1.2.1.orig/src/lib/krb5/krb/preauth.c Fri Jun 30 12:28:13 2000
+++ krb5-1.2.1.w2k/src/lib/krb5/krb/preauth.c Tue Dec 5 22:37:59 2000
@@ -172,6 +172,10 @@
retval = decode_krb5_etype_info(&scratch, &etype_info);
if (retval)
return retval;
+ if (etype_info[0] == NULL) {
+ krb5_free_etype_info(context, etype_info);
+ etype_info = 0;
+ }
}
}
diff -r -u krb5-1.2.1.orig/src/lib/krb5/krb/preauth2.c
krb5-1.2.1.w2k/src/lib/krb5/krb/preauth2.c
--- krb5-1.2.1.orig/src/lib/krb5/krb/preauth2.c Fri Jun 30 12:28:13 2000
+++ krb5-1.2.1.w2k/src/lib/krb5/krb/preauth2.c Tue Dec 5 22:44:56 2000
@@ -530,6 +530,11 @@
}
return ret;
}
+ if (etype_info[0] == NULL) {
+ krb5_free_etype_info(context, etype_info);
+ etype_info = NULL;
+ break;
+ }
salt->data = (char *) etype_info[0]->salt;
salt->length = etype_info[0]->length;
*etype = etype_info[0]->etype;
Show quoted text
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Tue Jan 30 16:47:45 2001
Responsible-Changed-Why:
refiled, reformatted
State-Changed-From-To: open-feedback
State-Changed-By: tlyu
State-Changed-When: Tue Jan 30 18:31:31 2001
State-Changed-Why:
patch committed
From: Tom Yu <tlyu@MIT.EDU>
To: craziboy77@hotmail.com
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-libs/903: NULL deref from empty returned ETYPE_INFO
Date: Tue, 30 Jan 2001 18:33:19 -0500 (EST)
Show quoted text
>>>>> "craziboy77" == Crazy Boy <craziboy77@hotmail.com> writes:
Show quoted text
craziboy77> A Windows 2000 KDC will in some circumstances return
craziboy77> an empty list of supported authentication types (a
craziboy77> KRB5_PADATA_ETYPE_INFO message with no data(?)). When
craziboy77> this is processed to select the first supported
craziboy77> encryption type, there is no check that any types are
craziboy77> actually supported; the first one is selected
craziboy77> (blindly), causing a null pointer deference when the
craziboy77> list returned is empty (in preauth2.c, line 533). The
craziboy77> desired outcome in this situation is to return the "no
craziboy77> supported encryption types" message to the user rather
craziboy77> than crashing :).
craziboy77> an empty list of supported authentication types (a
craziboy77> KRB5_PADATA_ETYPE_INFO message with no data(?)). When
craziboy77> this is processed to select the first supported
craziboy77> encryption type, there is no check that any types are
craziboy77> actually supported; the first one is selected
craziboy77> (blindly), causing a null pointer deference when the
craziboy77> list returned is empty (in preauth2.c, line 533). The
craziboy77> desired outcome in this situation is to return the "no
craziboy77> supported encryption types" message to the user rather
craziboy77> than crashing :).
Thanks for the bug report; I've committed a patch, and it should be in
the upcoming release.
---Tom
State-Changed-From-To: feedback-closed
State-Changed-By: tlyu
State-Changed-When: Fri Sep 14 19:52:18 2001
State-Changed-Why:
Fixed in 1.2.2.
Show quoted text
>Unformatted: