[krbdev.mit.edu #4567] KDC can crash for certain client requests when preauth plugins are

The RT System itself via RT rt-comment at krbdev.mit.edu
Mon Oct 30 18:37:16 EST 2006 

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Mon Oct 30 18:37:08 2006
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
	id SAA02614; Mon, 30 Oct 2006 18:37:07 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k9UNab6X022524;
	Mon, 30 Oct 2006 18:36:37 -0500
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k9UMQLbI001914
	for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 30 Oct 2006 17:26:21 -0500
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	k9UMQ4HK026412
	for <krb5-bugs at mit.edu>; Mon, 30 Oct 2006 17:26:04 -0500 (EST)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
	by mit.edu (Spam Firewall) with ESMTP id 78D3885B1D
	for <krb5-bugs at mit.edu>; Mon, 30 Oct 2006 17:25:59 -0500 (EST)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
	[172.16.52.254])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k9UMPwrJ014954
	for <krb5-bugs at mit.edu>; Mon, 30 Oct 2006 17:25:58 -0500
Received: from localhost.localdomain (sparky.boston.redhat.com [172.16.80.55])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id
	k9UMPw1q027469
	for <krb5-bugs at mit.edu>; Mon, 30 Oct 2006 17:25:58 -0500
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by localhost.localdomain (8.13.8/8.13.8) with ESMTP id k9UMHLB1008215
	for <krb5-bugs at mit.edu>; Mon, 30 Oct 2006 17:17:21 -0500
Received: (from nalin at localhost)
	by localhost.localdomain (8.13.8/8.13.8/Submit) id k9UMHLg8008214;
	Mon, 30 Oct 2006 17:17:21 -0500
Date: Mon, 30 Oct 2006 17:17:21 -0500
From: Nalin Dahyabhai <nalin at redhat.com>
Message-Id: <200610302217.k9UMHLg8008214 at localhost.localdomain>
To: krb5-bugs at mit.edu
Subject: crasher in preauth plugin support
X-send-pr-version: 3.99
>Submitter-Id: net
>Originator: Nalin Dahyabhai
>Organization: Red Hat
>Confidential: no
>Synopsis: KDC can crash for certain client requests when preauth plugins are
	used
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: trunk
>Environment: 
System: Linux sparky 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006
	i686 athlon i386 GNU/Linux
Architecture: i686
X-Spam-Score: 0.00
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Mon, 30 Oct 2006 18:36:36 -0500
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu

>Description:
	If the client's AS request doesn't include any preauthentication
	data, and there is at least one module loaded which implements
	preauthentication and advertises that it replaces the key which is
	used to encrypt the reply, the KDC will crash when it attempts to
	compare the preauth type which the module implements with one or
	more of the types of preauth data which the client supplied.
>How-To-Repeat:
	Load the wpse module, and attempt to get credentials for a user
	who does not have the requires_preauth flag set in the KDB entry.
>Fix:
Index: src/kdc/kdc_preauth.c
===================================================================
--- src/kdc/kdc_preauth.c	(revision 18750)
+++ src/kdc/kdc_preauth.c	(working copy)
@@ -721,25 +721,28 @@
         }
     }
 
-    /* Now sort just the modules which replace the key, placing those which
-     * handle the pa_data types provided by the client ahead of the others. */
-    for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
-	continue;
-    }
-    n_key_replacers = i;
-    for (i = 0; i < n_key_replacers; i++) {
-	if (pa_list_includes(request->padata,
-			     preauth_systems[pa_order[i]].type))
-	    continue;
-        for (j = i + 1; j < n_key_replacers; j++) {
-	    if (pa_list_includes(request->padata,
-			         preauth_systems[pa_order[j]].type)) {
-                k = pa_order[j];
-		pa_order[j] = pa_order[i];
-		pa_order[i] = k;
-		break;
-	    }
-        }
-    }
+    if (request->padata != NULL) {
+	/* Now reorder the subset of modules which replace the key, bubbling
+	 * those which handle pa_data types provided by the client ahead of the
+	 * others. */
+	for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
+	    continue;
+	}
+	n_key_replacers = i;
+	for (i = 0; i < n_key_replacers; i++) {
+	    if (pa_list_includes(request->padata,
+				 preauth_systems[pa_order[i]].type))
+		continue;
+	    for (j = i + 1; j < n_key_replacers; j++) {
+		if (pa_list_includes(request->padata,
+				     preauth_systems[pa_order[j]].type)) {
+		    k = pa_order[j];
+		    pa_order[j] = pa_order[i];
+		    pa_order[i] = k;
+		    break;
+		}
+	    }
+	}
+    }
 #ifdef DEBUG
     krb5_klog_syslog(LOG_DEBUG, "original preauth mechanism list:");

More information about the krb5-bugs mailing list