[krbdev.mit.edu #6777] Segmentation fault in krb library (sn2princ.c) if realm not resolved

Krier@krbdev.mit.edu Krier at krbdev.mit.edu
Tue Sep 14 15:10:55 EDT 2010 

  To: krb5-bugs at mit.edu
  Subject: Segmentation fault in krb library (sn2princ.c) if realm not resolved
  From: Richard.Krier at globalfoundries.com
  Reply-To: Richard.Krier at globalfoundries.com
  Cc:
  X-send-pr-version: 3.99

     >Submitter-Id:
     >Originator:      Richard Krier
     >Organization:    GlobalFoundries

     >Confidential:    no
     >Synopsis: Segmentation fault in sn2princ.c if realm not resolved. Need checks for zero-length string and/or NULL pointer
     >Severity: serious
     >Priority: medium
     >Category: krb5-bug
     >Class:           krb5-bug
     >Release: 1.6.3, 1.8.3
     >Environment:
        <machine, os, target, libraries (multiple lines)>
     System: AIX 5.3, Kerberos libraries built in 64-bit mode
     Machine:
     >Description:
              1. sname_to_princ() (sn2princ.c) calls krb5_get_host_realm() to resolve kerberos realm from host name.
              2. If realm unresolved, krb5_get_host_realm() returns a zero-length string, i.e. 1 byte containing just '\0'
              3. sname_to_princ() then performs inadequate check for realm resolution:
PROBLEM IS HERE:   if (!hrealms[0]) {   /* this only checks if ptr is NULL, but not if string is zero-length */
                      free(remote_host);
                      krb5_xfree(hrealms);
                      return KRB5_ERR_HOST_REALM_UNKNOWN;
                    }
              3. sname_to_princ() then calls krb5_build_principal(), principal not created in this case, *ret_princ is NULL
ALSO HERE:       No check is made to determine if *ret_princ is NULL before using it to make an assignment as point 4.
              4. sname_to_princ() gets segmentation fault trying to use null *ret_princ to assign 'type'


     >How-To-Repeat:
             N/A
     >Fix:
             In file sn2princ.c:
             1. Modify the realm-check above to check for either a NULL pointer or a zero-length string:
                if ( (!hrealms[0]) || (0==strlen(hrealms[0]) )    /* or perhaps   ('\0'==hrealms[0]) */

            2. Add a check for *ret_princ being NULL after calling krb5_build_principal()
                    if (NULL==*ret_princ{
                      free(remote_host);
                      krb5_xfree(hrealms);
                      return KRB5_ERR_HOST_REALM_UNKNOWN;
                    }

More information about the krb5-bugs mailing list