possible bug in 1.6.1 gic_opt.c

Jeffrey Altman jaltman at MIT.EDU
Tue May 1 21:49:55 EDT 2007 

Here is the correct / tested patch.  It applies to gic_opt.c not
gc_frm_kdc.c.

Index: gic_opt.c
===================================================================
--- gic_opt.c   (revision 19536)
+++ gic_opt.c   (working copy)
@@ -206,11 +206,21 @@
     oe = krb5int_gic_opte_alloc(context);
     if (NULL == oe)
        return ENOMEM;
-    memcpy(oe, opt, sizeof(*opt));
-    /* Fix these -- overwritten by the copy */
-    oe->flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED |
-                  KRB5_GET_INIT_CREDS_OPT_SHADOWED);
+
+    if (opt)
+        memcpy(oe, opt, sizeof(*opt));

+    /*
+     * Fix the flags -- the EXTENDED flag would have been
+     * overwritten by the copy if there was one.  The
+     * SHADOWED flag is necessary to ensure that the
+     * krb5_gic_opt_ext structure that was allocated
+     * here will be freed by the library because the
+     * application is unaware of its existence.
+     */
+    oe->flags |= (KRB5_GET_INIT_CREDS_OPT_EXTENDED |
+                  KRB5_GET_INIT_CREDS_OPT_SHADOWED);
+
     *opte = oe;
     return 0;
 }

Jeffrey Altman wrote:
> You will also need this patch to src/lib/krb5/krb/gc_frm_kdc.c:
> 
> Index: gic_opt.c
> ===================================================================
> --- gic_opt.c   (revision 19536)
> +++ gic_opt.c   (working copy)
> @@ -206,7 +206,11 @@
>      oe = krb5int_gic_opte_alloc(context);
>      if (NULL == oe)
>         return ENOMEM;
> -    memcpy(oe, opt, sizeof(*opt));
> +    if (opt)
> +        memcpy(oe, opt, sizeof(*opt));
> +    else
> +        memset(oe, 0, sizeof(*opt));
> +
>      /* Fix these -- overwritten by the copy */
>      oe->flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED |
>                    KRB5_GET_INIT_CREDS_OPT_SHADOWED);
> 
> Jeffrey Altman wrote:
>> Please try this patch to src/include/k5-int.h:
>>
>> Index: k5-int.h
>> ===================================================================
>> --- k5-int.h    (revision 19525)
>> +++ k5-int.h    (working copy)
>> @@ -1048,9 +1048,9 @@
>>  #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
>>
>>  #define krb5_gic_opt_is_extended(s) \
>> -    (((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
>> +    ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
>>  #define krb5_gic_opt_is_shadowed(s) \
>> -    (((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
>> +    ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
>>
>>
>>  typedef struct _krb5_gic_opt_private {
>>
>>
>> Jeffrey Altman
>> Secure Endpoints Inc.
>>
>>
>> Mike Dopheide wrote:
>>> We're testing OpenSSH (with GSSAPI patches) and MIT Kerberos 1.6.1 on 
>>> RedHat Linux 4 (x86_64).   We're seeing a segfault in 
>>> krb5_get_init_creds_password.  Below is a backtrace and comments (Thanks 
>>> Jim).
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> krb5int_gic_opt_to_opte (context=0x571fb0, opt=0x0, opte=0x7fbfffd4e8,
>>>     force=1, where=0x2a962d40b7 "krb5_get_init_creds_password")
>>>     at ../../../../krb5-1.6.1.ncsa/src/lib/krb5/krb/gic_opt.c:235
>>> 235     ../../../../krb5-1.6.1.ncsa/src/lib/krb5/krb/gic_opt.c: No
>>> such file or directory.
>>>         in ../../../../krb5-1.6.1.ncsa/src/lib/krb5/krb/gic_opt.c
>>> (gdb) backtrace
>>> #0  krb5int_gic_opt_to_opte (context=0x571fb0, opt=0x0, 
>>> opte=0x7fbfffd4e8, force=1, where=0x2a962d40b7 
>>> "krb5_get_init_creds_password")
>>>     at ../../../../krb5-1.6.1.ncsa/src/lib/krb5/krb/gic_opt.c:235
>>>
>>> "This line is dereferencing opt, which is NULL.  It needs a check for 
>>> opt==NULL."
>>>
>>> #1  0x0000002a962a9a3b in krb5_get_init_creds_password 
>>> (context=0x571fb0, creds=0x7fbfffe350, client=0x571710, 
>>> password=0x571d70 "vintage1990Z", prompter=0, data=0x0, start_time=0, 
>>> in_tkt_service=0x0, options=0x0)
>>>     at ../../../../krb5-1.6.1.ncsa/src/lib/krb5/krb/gic_pwd.c:132
>>>
>>> "Probably shouldn't be calling krb5int_gic_opt_to_opte() here if
>>> options==NULL."
>>>
>>> If time permits tomorrow I'll see about writing a patch and retesting.
>>>
>>> -Mike
>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list