Regarding "MIT krb5 Security Advisory 2005-002" fix

Jeffrey Hutzelman jhutz at cmu.edu
Tue Sep 19 01:13:26 EDT 2006 


On Tuesday, September 19, 2006 10:12:36 AM +0530 Sachin Punadikar 
<punadikar.sachin at gmail.com> wrote:

> I would like to point out that, the above fix is for only for UDP
> communication part.

That's because the bug, which is due to use of an uninitialized automatic 
variable, only exists in that code path.



> For TCP communication, this kind of fix is missing.
> Here is the fix for TCP communication part.
> =============================================
> File: src/kdc/network.c
> Function : accept_tcp_connection()
> Line number : around 825
>     newconn->u.tcp.addr_s = addr_s;
>     newconn->u.tcp.addrlen = addrlen;
>     newconn->u.tcp.bufsiz = 1024 * 1024;
>     newconn->u.tcp.buffer = malloc(newconn->u.tcp.bufsiz);
>     newconn->u.tcp.start_time = time(0);
>     newconn-> u.tcp.response = NULL;   /* Fix for MIT krb5 Security
> Advisory 2005-002: TCP part */
> ===============================================
>
> Let me know whether I am correct ?

No; this change is not required.  In the UDP case, the fix initializes an 
automatic (stack) variable which was used before being initialized.  In the 
code you quote above, the *newconn was zeroed when it was allocated by 
add_fd(), so those structure members needing nonzero values need to be 
initialized here.

Technically, this makes the assumption that the underlying representation 
of a NULL pointer has all bits cleared, which is not guaranteed to be true. 
However, it is true on pretty much all modern systems, and certainly any on 
which this code builds.


BTW, please note that krbdev at mit.edu is a public mailing list, and might 
not be an appropriate forum for reporting security issues.  For that 
purpose you may instead want to send mail to krbcore at mit.edu (a private 
internal list), or send PGP-encrypted mail to one of the people whose email 
addresses appear at http://web.mit.edu/kerberos/contact.html

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the krbdev mailing list