[krbdev.mit.edu #6681] krb5_get_init_creds_password() can crash with NULL options and expired keys

[The RT System itself via RT]

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Fri Mar 12 17:09:51 2010
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id 6F5423F0EA;
	Fri, 12 Mar 2010 17:09:51 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CM9pvo013889;
	Fri, 12 Mar 2010 17:09:51 -0500
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CK6PZa027250
	for <krb5-bugs-incoming at PCH.mit.edu>; Fri, 12 Mar 2010 15:06:25 -0500
Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU
	[18.7.68.37])
	by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id o2CK5ubG002176
	for <krb5-bugs at mit.edu>; Fri, 12 Mar 2010 15:06:25 -0500
X-AuditID: 12074425-b7d00ae000002295-a4-4b9a9ec07b72
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by dmz-mailsec-scanner-8.mit.edu (Symantec Brightmail Gateway) with
	SMTP id 62.03.08853.1CE9A9B4; Fri, 12 Mar 2010 15:06:25 -0500 (EST)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com
	(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2CK6OnX015470
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <krb5-bugs at mit.edu>; Fri, 12 Mar 2010 15:06:24 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id o2CK6NEF027566
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <krb5-bugs at mit.edu>; Fri, 12 Mar 2010 15:06:23 -0500
Received: from blade.bos.redhat.com (localhost [127.0.0.1])
	by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o2CK6M6f022913
	for <krb5-bugs at mit.edu>; Fri, 12 Mar 2010 15:06:22 -0500
Received: (from nalin at localhost)
	by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o2CK6M6N022912;
	Fri, 12 Mar 2010 15:06:22 -0500
Date: Fri, 12 Mar 2010 15:06:22 -0500
Message-Id: <201003122006.o2CK6M6N022912 at blade.bos.redhat.com>
To: krb5-bugs at mit.edu
Subject: krb5_get_init_creds_password() can crash with NULL options and
	expired keys
From: nalin at redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Brightmail-Tracker: AAAAAhM9I9YTPgcy
X-Mailman-Approved-At: Fri, 12 Mar 2010 17:09:50 -0500
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Nalin Dahyabhai
>Organization:
>Confidential:	no
>Synopsis:	krb5_get_init_creds_password() can crash with NULL options and expired keys
>Severity:	non-critical
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.8
>Environment:
	
System: Linux blade.bos.redhat.com 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	Bert Barbé noted, on kerberos@, that krb5_get_init_creds_password(),
	if it was dealing with an expired key, could try to dereference its
	"options" argument to read flags before checking that "options"
	wasn't NULL.
>Fix:
	This patch creates an krb5_gic_opt_ext structure using the passed-in
	options value, which ensures that when we go to check the flags, we
	get the library defaults if we were passed NULL.

Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c	(revision 23799)
+++ src/lib/krb5/krb/gic_pwd.c	(working copy)
@@ -123,6 +123,7 @@
     int tries;
     krb5_creds chpw_creds;
     krb5_get_init_creds_opt *chpw_opts = NULL;
+    krb5_gic_opt_ext *opte = NULL;
     krb5_data pw0, pw1;
     char banner[1024], pw0array[1024], pw1array[1024];
     krb5_prompt prompt[2];
@@ -218,7 +219,8 @@
      * to prompt.  Prompting is only disabled if the option has been set
      * and the value has been set to false.
      */
-    if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+    krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL);
+    if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
         goto cleanup;
 
     /* ok, we have an expired password.  Give the user a few chances
@@ -332,6 +334,8 @@
                                  &use_master, &as_reply);
 
 cleanup:
+    if (opte != options)
+        krb5_get_init_creds_opt_free(context, opte);
     krb5int_set_prompt_types(context, 0);
     /* if getting the password was successful, then check to see if the
        password is about to expire, and warn if so */