pending/1073: telnet core dumps with Windows 2000 KDC

Ali M ali_m_000 at hotmail.com
Wed Mar 13 06:02:06 EST 2002 

>Number:         1073
>Category:       pending
>Synopsis:       telnet core dumps with Windows 2000 KDC
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Mar 13 06:03:00 EST 2002
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
Submitter-Id:	net
Originator:	Super-User
Organization:
Confidential:	no
Synopsis:	Telnet dies if TGT Authorization-Data field too large
Severity:	non-critical
Priority:	low
Category:	krb5-appl
Class:		change-request
Release:	krb5-1.2.3
Environment:
System: SunOS secsol5 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4

Description:

	When using MIT kerberos against a Windows 2000 KDC, obtaining a TGT
for a user that is a member of many Windows groups causes the
Authorization-Data field of the TGT to become very large. Telnet contains
2048 byte buffers for the network output ring and also as a work buffer
in libtelnet/kerberos5.c When the TGT is too large, the buffer in
kerberos5.c overflows and overwrites the variables declared after it,
particularly the krb5_context structure - a core dump soon follows!

How-To-Repeat:

	Create a user account at the Win2K KDC and make it a member of many
groups - 10 to 12 is usually sufficient.

Fix:
	Personally I increased the size of the static buffer in
libtelnet/kerberos5.c line 99: static unsigned char str_data[2048]
and the network output ring buffer
telnet/network.c line 56: unsigned char netobuf[2*BUFSIZ],
to be big enough to accomodate the largest expected user account on the
company's network.

I would recommend that any future enhancement to telnet would use a
dynamically allocated buffer in kerberos5.c and that there be some
way of flushing the ring buffer so that a large TGT can be processed
in a loop, since the TGT size is not known at the time the ring buffer
is allocated.




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

More information about the krb5-bugs mailing list