Workaround: telnet core dumps with Windows 2000 KDC

Alistair Mackay ali_m_000 at hotmail.com
Wed Mar 13 06:10:47 EST 2002


Category:	krb5-appl
Release:	krb5-1.2.3

Description:

	
	When using MIT kerberos against a Windows 2000 KDC, obtaining a TGT 
for a user that is a member of many Windows groups causes the
Authorization-Data field of the TGT to become very large. Microsoft
uses this field to store Windows security information for all the
groups that user is a member of.
Telnet contains 2048 byte buffers for the network output ring and also
as a work buffer in libtelnet/kerberos5.c. When the TGT is too large,
the buffer in kerberos5.c overflows and overwrites the variables
declared after it, particularly the krb5_context structure - a core
dump soon follows!

How-To-Repeat:

	Create a user account at the Win2K KDC and make it a member of many
groups - 10 to 12 is usually sufficient.

Fix:

	Personally I increased the size of the static buffer in 
libtelnet/kerberos5.c line 99: static unsigned char str_data[2048]
and the network output ring buffer
telnet/network.c line 56: unsigned char netobuf[2*BUFSIZ], 
to be big enough to accomodate the largest expected user account on
the company's network.

I would recommend that any future enhancement to telnet would use a
dynamically allocated buffer in kerberos5.c and that there be some way
of flushing the ring buffer so that a large TGT can be processed in a
loop, since the TGT size is not known at the time the ring buffer is
allocated.

(also posted to krb5-bugs at mit.edu)



More information about the Kerberos mailing list