* Andreas Haupt [2017-08-30 09:01:08 +0200]:
> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
> Looks like an evil bug to me. Anybody else seeing this?
Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
the next day with the attached patch. No reaction. Not to my status query
the other day either.
commit 7a1cf14d57608401dde283ee76c2ec5c7f648e41
tree d77d9f1e9f2b2c9c4481a4f7f63b551e6cba62c8
parent ce3e80c72a58aeae5298aea9c4e5ee4719e95b76
author Sergio Gelato 1497530749 +0200
committer Sergio Gelato 1497530749 +0200
Guard against null r->client_princ when calling _kdc_fast_mk_error().
Some validation failures ("malformed server name", "No client in request")
result in r->client_princ == NULL at the point of calling _kdc_fast_mk_error().
Do not evaluate &r->client_princ->name or &r->client_princ->realm when this
is the case.
This bug is believed to have been the cause of a kdc crash with:
2017-06-14T18:05:19 No client in request
2017-06-14T18:05:19 AS-REQ malformed client name from IPv4:80.82.77.139
Jun 14 18:05:19 KDC kernel: [807788.585703] kdc[3162]: segfault at c ip
b752a123 sp bff56c74 error 4 in libasn1.so.8.0.0[b74aa000+b5000]
(The instruction pointer pointed into der_length_general_string().)
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 95a7492..df38ece 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2227,14 +2227,20 @@ out:
* In case of a non proxy error, build an error message.
*/
if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
+PrincipalName *error_client_name = NULL;
+ Realm *error_client_realm = NULL;
+ if (r->client_princ) {
+ error_client_name = &r->client_princ->name;
+ error_client_realm = &r->client_princ->realm;
+ }
ret = _kdc_fast_mk_error(context, r,
&error_method,
r->armor_crypto,
&req->req_body,
ret, r->e_text,
r->server_princ,
- &r->client_princ->name,
- &r->client_princ->realm,
+ error_client_name,
+ error_client_realm,
NULL, NULL,
reply);
if (ret)
signature.asc
Description: PGP signature