Crash in MIT Kerberos 5 v1.8.3 gss_export_sec_context() for Initiator
martin.rex at sap.com
Fri Dec 17 11:22:35 EST 2010
I received a crash report from one of our customers who is
trying to set up MIT Kerberos 5 v1.8.3 for Single Sign-On
and has used our "gsstest" to check for interop prerequisites.
The customer was faced with a crash/core dump when gsstest
tries to export the Initiator's(!) security context (call stack below).
Exporting the *Acceptors* security context succeeds according
to gsstests own debug output, the problem appears to be specific/limited
to calling gss_export_sec_context() for the Initiator.
The (brief) version infos included by the customer is
System: Sun Solaris 10
KrbLib: MIT Kerberos5 1.8.3
The problem seems to be in the serializer, trying to serialize
non-existend auth_data (NULL pointer), which the authdata code
seems not prepared to deal with.
(To me "auth_data" sounds like the PAC that Active Directory
stuffs into tickets. I assume that PAC data only exists on
the acceptor ends of security contexts (as a result of
opening a ticket and finding the PAC
Would an acceptor receiving a "traditional" Kerberos ticket
from an older MIT Kerberos KDC without PAC run into the
same problem when calling gss_export_sec_context()? ).
root at sp11in # dbx sun_64/gsstest core
core file header read successfully
detected a multithreaded program
program terminated by signal SEGV (no mapping at the fault address)
0xffffffff7e0a0de8: k5_ad_size+0x0060: ldsw [%l0 + 0x4], %l1
Current function is sapgss_export_sec_context
910 return( gss_export_sec_context( min_stat, in_ctx, out_buffer ) );
current thread: t at 1
 k5_ad_size(0x1000c58e0, 0x0, 0xf, 0xffffffff7fffec60, 0xffffffff7ef00200, 0x0), at 0xffffffff7e0a0de8
 krb5_authdata_context_size(0x1000c58e0, 0x0, 0xffffffff7fffec60, 0x1000c6f80, 0x0, 0xa), at 0xffffffff7e0a3340
 krb5_size_opaque(0x1000c58e0, 0xffffffff970ea73c, 0x0, 0xffffffff7fffec60, 0x15, 0x0), at 0xffffffff7e1471cc
 kg_ctx_size(0x1000c58e0, 0x1000c7d10, 0xffffffff7fffed68, 0xffffffff7e5d7e84, 0x1000c7d10, 0x0), at 0xffffffff7e4b3440
 krb5_gss_export_sec_context(0xffffffff7ffff0ac, 0x1000b6ab0, 0xffffffff7fffee68, 0xffffffff7ebacfc4, 0x1000bd6a0, 0x0), at 0xffffffff7e47a9f4
 gss_export_sec_context(0xffffffff7ffff0ac, 0x1000c2948, 0xffffffff7ffff220, 0x1000a26a8, 0x1000bc780, 0x1000b6aa0), at 0xffffffff7e431cd4
=> sapgss_export_sec_context(min_stat = 0xffffffff7ffff0ac, in_ctx = 0x1000c2948, out_buffer = 0xffffffff7ffff220), line 910 in "snckrb5.c"
 export_sec_context(p_trclevel = 4, p_gssfp = 0x1000b42f0, p_usagetype = CTX_INITIATOR, pp_ctx = 0x1000c2948, p_export_token = 0xffffffff7ffff220, pp_maj_stat = 0xffffffff7ffff20c), line 725 in "contexts.c"
 ctx_transfer_cycle(p_trclevel = 4, p_ctx = 0x1000c28f0), line 1797 in "contexts.c"
 tstm_act_entry(p_trclevel = 4, p_test_title = 0x100095398 "", p_timing = 1, p_step = 0x100090aa0, pp_ini = 0x1000bd400, pp_acc = 0x1000bce20, pp_queue_ini = 0xffffffff7ffff4e0, pp_queue_acc = 0xffffffff7ffff4d8, pp_maj_stat = 0xffffffff7ffff4bc), line 2005 in "msg_prot.c"
 test_message_exchange(p_trclevel = 4, p_test_title = 0x100095398 "", p_timing = 1, p_job = 0x100090a00, pp_ini = 0x1000bd400, pp_acc = 0x1000bce20, pp_queue_ini = (nil), pp_queue_acc = (nil), pp_success = 0xffffffff7ffff634), line 2227 in "msg_prot.c"
 sap_try_context(p_trclevel = 4, p_flags = 310U, p_lifetime = 4294967295U, p_gssfp_ini = 0x1000b42f0, p_gssfp_acc = 0x1000b42f0, p_ini_cred_type = SNC_SIMPLE_CRED, p_acc_cred_type = SNC_GSSNAMED_CRED, p_target = 0x1000c27b0 "SAPServiceSEP/corp.ad.emb at CORP.AD.EMBXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", p_target_len = 37U, p_count = 1U), line 1688 in "contexts.c"
 context_tests(p_gssfp_ini = 0x1000b42f0, p_gssfp_acc = 0x1000b42f0), line 76 in "contexts.c"
 parent_main(p_gssfp_ini = 0x1000b42f0, p_gssfp_acc = 0x1000b42f0), line 725 in "gsstest.c"
 main(argc = 8, argv = 0xffffffff7ffffa58), line 516 in "gsstest.c"
More information about the krbdev