[krbdev.mit.edu #8889] krb5 crashes in k5_primary_domain

Jiri Slaby via RT rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Mar 24 13:27:57 EDT 2020 

Tue Mar 24 13:27:56 2020: Request 8889 was acted upon.
 Transaction: Ticket created by jslaby at suse.cz
       Queue: krb5
     Subject: krb5 crashes in k5_primary_domain
       Owner: Nobody
  Requestors: jslaby at suse.cz
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8889 >


When no domain is set during bootup (but is set later), nfs invokes krb
and nfs+krb crashes:
> #0  __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
> #1  0x00007fe592ad7adf in __GI___strdup (s=0x0) at strdup.c:41
> #2  0x00007fe592903e89 in k5_primary_domain () at dnsglue.c:506
> #3  qualify_shortname (context=<optimized out>, host=0x7ffc8968f3d0
"anemoi") at sn2princ.c:74
> #4  k5_expand_hostname (context=context at entry=0x556b5f5bf5a0,
host=host at entry=0x7ffc8968f3d0 "anemoi",
is_fallback=is_fallback at entry=0,
canonhost_out=canonhost_out at entry=0x7ffc8968f3b8) at sn2princ.c:128
> #5  0x00007fe592903eea in krb5_expand_hostname
(context=context at entry=0x556b5f5bf5a0, host=host at entry=0x7ffc8968f3d0
"anemoi", canonhost_out=canonhost_out at entry=0x7ffc8968f3b8) at
sn2princ.c:164
> #6  0x00007fe592906500 in krb5_sname_to_principal
(context=0x556b5f5bf5a0, hostname=0x7ffc8968f3d0 "anemoi",
hostname at entry=0x0, sname=sname at entry=0x556b5f5bdc80 "nfs",
type=type at entry=3, princ_out=princ_out at entry=0x7ffc8968f488)
>     at sn2princ.c:219
> #7  0x00007fe592a111c3 in krb5_gss_import_name
(minor_status=0x7ffc8969178c, input_name_buffer=<optimized out>,
input_name_type=<optimized out>, output_name=0x7ffc89691690) at
import_name.c:166
> #8  0x00007fe592a2a088 in gssint_import_internal_name
(minor_status=minor_status at entry=0x7ffc8969178c,
mech_type=mech_type at entry=0x556b5f5bcc70,
union_name=union_name at entry=0x556b5f5a3a20,
>     internal_name=internal_name at entry=0x7ffc89691690) at g_glue.c:400
> #9  0x00007fe592a2b820 in gss_add_cred_from
(minor_status=minor_status at entry=0x7ffc8969178c,
input_cred_handle=<optimized out>,
desired_name=desired_name at entry=0x556b5f5a3a20, desired_mech=<optimized
out>,
>     cred_usage=cred_usage at entry=2,
initiator_time_req=initiator_time_req at entry=4294967295,
acceptor_time_req=4294967295, cred_store=0x0, output_cred_handle=0x0,
actual_mechs=0x0, initiator_time_rec=0x0, acceptor_time_rec=0x0)
>     at g_acquire_cred.c:512
> #10 0x00007fe592a2de3f in gss_acquire_cred_from
(minor_status=0x7ffc89691864, desired_name=0x556b5f5a3a20,
time_req=4294967295, desired_mechs=0x0, cred_usage=2,
cred_store=cred_store at entry=0x0, output_cred_handle=0x556b5eff0378,
>     actual_mechs=0x0, time_rec=0x0) at g_acquire_cred.c:190
> #11 0x00007fe592a2e096 in gss_acquire_cred (minor_status=<optimized
out>, desired_name=<optimized out>, time_req=<optimized out>,
desired_mechs=<optimized out>, cred_usage=<optimized out>,
output_cred_handle=<optimized out>,
>     actual_mechs=0x0, time_rec=0x0) at g_acquire_cred.c:107
> #12 0x0000556b5efec956 in ?? ()
> #13 0x0000556b5efe8f4d in ?? ()
> #14 0x00007fe592a6fceb in __libc_start_main (main=0x556b5efe8520,
argc=1, argv=0x7ffc89691a48, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffc89691a38) at
../csu/libc-start.c:308
> #15 0x0000556b5efe921a in ?? ()


> (gdb) p h
> $1 = {retrans = 5, retry = 2, options = 705, nscount = 1, nsaddr_list
= {{sin_family = 2, sin_port = 13568, sin_addr = {s_addr = 16777343},
sin_zero = "\000\000\000\000\000\000\000"}, {sin_family = 0, sin_port =
0, sin_addr = {
>         s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"},
{sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero =
"\000\000\000\000\000\000\000"}}, id = 0, dnsrch = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0},
>   defdname = '\000' <repeats 255 times>, pfcode = 0, ndots = 1, nsort
= 0, ipv6_unavail = 0, unused = 0, sort_list = {{addr = {s_addr = 0},
mask = 0}, {addr = {s_addr = 0}, mask = 0}, {addr = {s_addr = 0}, mask =
0}, {addr = {
>         s_addr = 0}, mask = 0}, {addr = {s_addr = 0}, mask = 0}, {addr
= {s_addr = 0}, mask = 0}, {addr = {s_addr = 0}, mask = 0}, {addr =
{s_addr = 0}, mask = 0}, {addr = {s_addr = 0}, mask = 0}, {addr =
{s_addr = 0},
>       mask = 0}}, __glibc_unused_qhook = 0x0, __glibc_unused_rhook =
0x0, res_h_errno = 0, _vcsock = -1, _flags = 0, _u = {pad =
"\000\000\000\000\000\000\000\000\377\377\377\377", '\000' <repeats 36
times>, "a\200\257H", _ext = {
>       nscount = 0, nsmap = {0, 0, 0}, nssocks = {-1, 0, 0}, nscount6 =
0, nsinit = 0, nsaddrs = {0x0, 0x0, 0x0}, __glibc_reserved =
{1219461217, 648608350}}}}
> (gdb) p h.dnsrch
> $2 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}



Trying to strdup the NULL pointer is not a good idea. So
k5_primary_domain should return NULL if the domain is NULL. Something like:
-#define PRIMARY_DOMAIN(h) strdup(h.dnsrch[0])
+#define PRIMARY_DOMAIN(h) ((h).dnsrch[0] ? strdup((h).dnsrch[0]) : NULL)

And perhaps for the old res_init case too.

thanks,
-- 
js
suse labs

More information about the krb5-bugs mailing list