Crash in sendto_kdc.c

[Greg Hudson]

On 02/12/2018 11:44 PM, Puran Chand wrote:
> The code works fine and generates token most of the time but once in a
> while it crashes and the crash happens in library.

I have looked at the stack traces and have a vague idea of the problem
area, but I don't see a bug in the code, nor do I see any potentially
related changes to sendto_kdc.c between 1.16 and the last KfW release.
I will describe what's going on in case it helps you debug this further.

sendto_kdc.c:1113 (in krb5 1.16) is "if ((size_t)nwritten <
SG_LEN(sgp))", where SG_LEN(sgp) is sgp->len.  Since the code is
crashing here, sgp is presumably a null or invalid pointer.

sgp is set from conn->out.sgp.  conn->out.sgp should have been
initialized to state->out.sgbuf in add_connection().  sgbuf is an array
of scatter-gather vectors of up to two elements.  (We use this array to
avoid having to recopy the packet for TCP requests, while still sending
the length and the packet in one write operation.)

I can think of three general possibilities:

* conn->out.sgp for some reason never got set, so is a null pointer at
the time of the crash.  But I don't know why it wouldn't have been set.

* conn->out.sgp is incremented during each iteration of the loop (at
line 1119) until we run out of written bytes to account for.  If
nwritten is for some reason much larger than it should be, conn->out.sgp
could run off the end of conn->out.sgbuf by enough to produce a
segmentation fault.  But I don't know why nwritten would ever be larger
than the lengths of the two scatter-gather vectors.

* conn->out.sgp could have been corrupted by a memory error elsewhere.
Since sendto_kdc() is synchronous, I would think the corruption would
have to have occurred in another thread.