Re: Segfaults after receiving invalid AS-REQ

Wed, 30 Aug 2017 01:41:23 -0700 

* Andreas Haupt [2017-08-30 09:01:08 +0200]:
> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
> Looks like an evil bug to me. Anybody else seeing this?

Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
the next day with the attached patch. No reaction. Not to my status query
the other day either.


commit 7a1cf14d57608401dde283ee76c2ec5c7f648e41
tree d77d9f1e9f2b2c9c4481a4f7f63b551e6cba62c8
parent ce3e80c72a58aeae5298aea9c4e5ee4719e95b76
author Sergio Gelato <sergio.gel...@astro.su.se> 1497530749 +0200
committer Sergio Gelato <sergio.gel...@astro.su.se> 1497530749 +0200

    Guard against null r->client_princ when calling _kdc_fast_mk_error().
    
    Some validation failures ("malformed server name", "No client in request")
    result in r->client_princ == NULL at the point of calling _kdc_fast_mk_error().
    Do not evaluate &r->client_princ->name or &r->client_princ->realm when this
    is the case.
    
    This bug is believed to have been the cause of a kdc crash with:
    
    2017-06-14T18:05:19 No client in request
    2017-06-14T18:05:19 AS-REQ malformed client name from IPv4:80.82.77.139
    Jun 14 18:05:19 KDC kernel: [807788.585703] kdc[3162]: segfault at c ip
     b752a123 sp bff56c74 error 4 in libasn1.so.8.0.0[b74aa000+b5000]
    (The instruction pointer pointed into der_length_general_string().)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 95a7492..df38ece 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2227,14 +2227,20 @@ out:
      * In case of a non proxy error, build an error message.
      */
     if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
+        PrincipalName *error_client_name = NULL;
+	Realm *error_client_realm = NULL;
+	if (r->client_princ) {
+	    error_client_name = &r->client_princ->name;
+	    error_client_realm = &r->client_princ->realm;
+	}
 	ret = _kdc_fast_mk_error(context, r,
 				 &error_method,
 				 r->armor_crypto,
 				 &req->req_body,
 				 ret, r->e_text,
 				 r->server_princ,
-				 &r->client_princ->name,
-				 &r->client_princ->realm,
+				 error_client_name,
+				 error_client_realm,
 				 NULL, NULL,
 				 reply);
 	if (ret)

Attachment: signature.asc
Description: PGP signature

Reply via email to