* Andreas Haupt [2017-08-30 09:01:08 +0200]: > we are running KDCs on Heimdal version 7.4. Since the update to version 7.x > a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ. > Looks like an evil bug to me. Anybody else seeing this?
Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs the next day with the attached patch. No reaction. Not to my status query the other day either.
commit 7a1cf14d57608401dde283ee76c2ec5c7f648e41 tree d77d9f1e9f2b2c9c4481a4f7f63b551e6cba62c8 parent ce3e80c72a58aeae5298aea9c4e5ee4719e95b76 author Sergio Gelato <sergio.gel...@astro.su.se> 1497530749 +0200 committer Sergio Gelato <sergio.gel...@astro.su.se> 1497530749 +0200 Guard against null r->client_princ when calling _kdc_fast_mk_error(). Some validation failures ("malformed server name", "No client in request") result in r->client_princ == NULL at the point of calling _kdc_fast_mk_error(). Do not evaluate &r->client_princ->name or &r->client_princ->realm when this is the case. This bug is believed to have been the cause of a kdc crash with: 2017-06-14T18:05:19 No client in request 2017-06-14T18:05:19 AS-REQ malformed client name from IPv4:80.82.77.139 Jun 14 18:05:19 KDC kernel: [807788.585703] kdc[3162]: segfault at c ip b752a123 sp bff56c74 error 4 in libasn1.so.8.0.0[b74aa000+b5000] (The instruction pointer pointed into der_length_general_string().) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 95a7492..df38ece 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -2227,14 +2227,20 @@ out: * In case of a non proxy error, build an error message. */ if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) { + PrincipalName *error_client_name = NULL; + Realm *error_client_realm = NULL; + if (r->client_princ) { + error_client_name = &r->client_princ->name; + error_client_realm = &r->client_princ->realm; + } ret = _kdc_fast_mk_error(context, r, &error_method, r->armor_crypto, &req->req_body, ret, r->e_text, r->server_princ, - &r->client_princ->name, - &r->client_princ->realm, + error_client_name, + error_client_realm, NULL, NULL, reply); if (ret)
signature.asc
Description: PGP signature