BUG: kinit coredumps when changing expired password, potentially kpasswd as well

Alistair Mackay ali_m_000 at hotmail.com
Wed Feb 13 09:32:21 EST 2002


Version: kerberos V 1.2.3
Location: src/lib/krb5/krb/gic_pwd.c  line 271
Platform: Solaris 2.6 (though by its nature, should affect all)
Description:
When attempting to aquire a TGT from a server that has "User must
change password at next logon" set, if a new password is entered that
does not meet the password requirements for the server a seg fault
occurs when the "Password Change Rejected. Please Try Again message"
is printed.
The reason being is that result_string.length is zero (OK) but the
pointer result_string.data is NULL - kerrrunch!
As you can see, the same could be possible with code_string so the
same action is taken

Resolution:

Existing code:

	 sprintf(banner, "%.*s%s%.*s.  Please try again.\n",
		 code_string.length, code_string.data,
		 result_string.length?": ":"",
		 result_string.length, result_string.data);

Suggested fix:

	 sprintf(banner, "%.*s%s%.*s.  Please try again.\n",
		 code_string.length, 
                 code_string.data ? code_string.data : "",
		 result_string.length?": ":"",
		 result_string.length, 
		 result_string.data ? result_string.data : "" );

After grepping the source, I find the same may occur at the following
locations requiring the same action...
src/clients/kpasswd/kpasswd.c line 137
src/mac/kpasswd.c  line 139
src/windows/cns/kpasswd/c  line 82

And possibly in the macro SAMDATA in
src/lib/krb5/krb/preauth2.c  line 220
...though unless it breaks for me, I can't be bothered to pick apart
the macro :-)

Regards,

Alistair Mackay




(Has also been posted to krb5-bugs at mit.edu)



More information about the Kerberos mailing list