Regarding "MIT krb5 Security Advisory 2005-002" fix
jhutz at cmu.edu
Tue Sep 19 01:13:26 EDT 2006
On Tuesday, September 19, 2006 10:12:36 AM +0530 Sachin Punadikar
<punadikar.sachin at gmail.com> wrote:
> I would like to point out that, the above fix is for only for UDP
> communication part.
That's because the bug, which is due to use of an uninitialized automatic
variable, only exists in that code path.
> For TCP communication, this kind of fix is missing.
> Here is the fix for TCP communication part.
> File: src/kdc/network.c
> Function : accept_tcp_connection()
> Line number : around 825
> newconn->u.tcp.addr_s = addr_s;
> newconn->u.tcp.addrlen = addrlen;
> newconn->u.tcp.bufsiz = 1024 * 1024;
> newconn->u.tcp.buffer = malloc(newconn->u.tcp.bufsiz);
> newconn->u.tcp.start_time = time(0);
> newconn-> u.tcp.response = NULL; /* Fix for MIT krb5 Security
> Advisory 2005-002: TCP part */
> Let me know whether I am correct ?
No; this change is not required. In the UDP case, the fix initializes an
automatic (stack) variable which was used before being initialized. In the
code you quote above, the *newconn was zeroed when it was allocated by
add_fd(), so those structure members needing nonzero values need to be
Technically, this makes the assumption that the underlying representation
of a NULL pointer has all bits cleared, which is not guaranteed to be true.
However, it is true on pretty much all modern systems, and certainly any on
which this code builds.
BTW, please note that krbdev at mit.edu is a public mailing list, and might
not be an appropriate forum for reporting security issues. For that
purpose you may instead want to send mail to krbcore at mit.edu (a private
internal list), or send PGP-encrypted mail to one of the people whose email
addresses appear at http://web.mit.edu/kerberos/contact.html
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the krbdev