[krbdev.mit.edu #3086] [Sergio Gelato] Bug#311977: libkrb53: gss_init_sec_context sometimes fails to initialise output_token

[Sam Hartman via RT]

Return-Path: <debbugs at bugs.debian.org>
Received: from solipsist-nation ([unix socket])
	by solipsist-nation (Cyrus v2.1.16-IPv6-Debian-2.1.16-10) with LMTP;
	Sat, 04 Jun 2005 11:24:08 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <debbugs at bugs.debian.org>
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
 [18.72.1.2])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by suchdamage.org (Postfix) with ESMTP id 950391383D
	for <hartmans at suchdamage.org>; Sat,  4 Jun 2005 11:24:07 -0400 (EDT)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])j54FO12l002825
	for <hartmans at suchdamage.org>; Sat, 4 Jun 2005 11:24:01 -0400 (EDT)
Received: from spohr.debian.org (spohr.debian.org [140.211.166.43])
	by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
 j54FNpRx014157
	for <hartmans at mit.edu>; Sat, 4 Jun 2005 11:23:51 -0400 (EDT)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
	id 1DeaPu-0007cG-00; Sat, 04 Jun 2005 08:18:30 -0700
X-Loop: owner at bugs.debian.org
Subject: Bug#311977: libkrb53: gss_init_sec_context sometimes fails to
 initialise output_token
Reply-To: Sergio Gelato <Sergio.Gelato at astro.su.se>,
	311977-maintonly at bugs.debian.org
Resent-From: Sergio Gelato <Sergio.Gelato at astro.su.se>
Resent-To: Sam Hartman <hartmans at debian.org>
Resent-Date: Sat, 04 Jun 2005 15:18:28 UTC
Resent-Message-ID: <handler.311977.M.111789808127655 at bugs.debian.org>
X-Debian-PR-Message: report 311977
X-Debian-PR-Package: libkrb53
X-Debian-PR-Keywords: 
Received: via spool by maintonly at bugs.debian.org id=M.111789808127655
          (code M ref -1); Sat, 04 Jun 2005 15:18:28 UTC
Received: (at maintonly) by bugs.debian.org; 4 Jun 2005 15:14:41 +0000
Received: from smtp3.su.se [130.237.93.228] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DeaMD-0007Bs-00; Sat, 04 Jun 2005 08:14:41 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp3.su.se (Postfix) with ESMTP id 18B9D37E83
	for <maintonly at bugs.debian.org>;
	Sat,  4 Jun 2005 17:14:39 +0200 (CEST)
Received: from smtp3.su.se ([127.0.0.1])
 by localhost (smtp3.su.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP
 id 14285-01-69 for <maintonly at bugs.debian.org>;
 Sat,  4 Jun 2005 17:14:38 +0200 (CEST)
Received: from [172.16.0.2] (unknown [80.217.34.237])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp3.su.se (Postfix) with ESMTP id D54C337E60
	for <maintonly at bugs.debian.org>;
	Sat,  4 Jun 2005 17:14:38 +0200 (CEST)
Message-ID: <42A1C51C.20604 at astro.su.se>
Date: Sat, 04 Jun 2005 17:13:32 +0200
From: Sergio Gelato <Sergio.Gelato at astro.su.se>
User-Agent: Debian Thunderbird 1.0.2 (X11/20050331)
X-Accept-Language: en-us, en
To: maintonly at bugs.debian.org
X-Virus-Scanned: by amavisd-new at smtp.su.se
Delivered-To: maintonly at bugs.debian.org
Resent-Sender: Debian BTS <debbugs at bugs.debian.org>
X-Scanned-By: MIMEDefang 2.42
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on 
	solipsist-nation.suchdamage.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00 autolearn=ham 
	version=3.0.2
MIME-Version: 1.0

Package: libkrb53
Version: 1.3.6-2

In investigating a suspicious "free(): invalid pointer" message from 
ssh-krb5 3.8.1p1-7 I discovered that gss_init_sec_context() doesn't 
always initialise output_token (setting output_token->length=0 would be 
enough) as required by RFC 2744 section 5.19.

On the OpenSSH side, the problem is exposed by a call from 
ssh_gssapi_check_mechanism() that occurs just before kex_setup(). It 
would be easy to work around the problem at that point (e.g., by adding 
a send_tok->length=0; in ssh_gssapi_init_ctx), but my reading of the API 
specification is that gss_init_sec_context(), not the caller, is 
responsible for initialising the output token.