[krbdev.mit.edu #3086] [Sergio Gelato] Bug#311977: libkrb53: gss_init_sec_context sometimes fails to initialise output_token

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #3086] [Sergio Gelato] Bug#311977: libkrb53: gss_init_sec_context sometimes fails to initialise output_token

Greg Hudson via RT
Return-Path: <[hidden email]>
Received: from solipsist-nation ([unix socket])
        by solipsist-nation (Cyrus v2.1.16-IPv6-Debian-2.1.16-10) with LMTP;
        Sat, 04 Jun 2005 11:24:08 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <[hidden email]>
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
 [18.72.1.2])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by suchdamage.org (Postfix) with ESMTP id 950391383D
        for <[hidden email]>; Sat,  4 Jun 2005 11:24:07 -0400 (EDT)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
        [18.7.21.83])j54FO12l002825
        for <[hidden email]>; Sat, 4 Jun 2005 11:24:01 -0400 (EDT)
Received: from spohr.debian.org (spohr.debian.org [140.211.166.43])
        by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id
 j54FNpRx014157
        for <[hidden email]>; Sat, 4 Jun 2005 11:23:51 -0400 (EDT)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
        id 1DeaPu-0007cG-00; Sat, 04 Jun 2005 08:18:30 -0700
X-Loop: [hidden email]
Subject: Bug#311977: libkrb53: gss_init_sec_context sometimes fails to
 initialise output_token
Reply-To: Sergio Gelato <[hidden email]>,
        [hidden email]
Resent-From: Sergio Gelato <[hidden email]>
Resent-To: Sam Hartman <[hidden email]>
Resent-Date: Sat, 04 Jun 2005 15:18:28 UTC
Resent-Message-ID: <[hidden email]>
X-Debian-PR-Message: report 311977
X-Debian-PR-Package: libkrb53
X-Debian-PR-Keywords:
Received: via spool by [hidden email] id=M.111789808127655
          (code M ref -1); Sat, 04 Jun 2005 15:18:28 UTC
Received: (at maintonly) by bugs.debian.org; 4 Jun 2005 15:14:41 +0000
Received: from smtp3.su.se [130.237.93.228]
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DeaMD-0007Bs-00; Sat, 04 Jun 2005 08:14:41 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
        by smtp3.su.se (Postfix) with ESMTP id 18B9D37E83
        for <[hidden email]>;
        Sat,  4 Jun 2005 17:14:39 +0200 (CEST)
Received: from smtp3.su.se ([127.0.0.1])
 by localhost (smtp3.su.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP
 id 14285-01-69 for <[hidden email]>;
 Sat,  4 Jun 2005 17:14:38 +0200 (CEST)
Received: from [172.16.0.2] (unknown [80.217.34.237])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by smtp3.su.se (Postfix) with ESMTP id D54C337E60
        for <[hidden email]>;
        Sat,  4 Jun 2005 17:14:38 +0200 (CEST)
Message-ID: <[hidden email]>
Date: Sat, 04 Jun 2005 17:13:32 +0200
From: Sergio Gelato <[hidden email]>
User-Agent: Debian Thunderbird 1.0.2 (X11/20050331)
X-Accept-Language: en-us, en
To: [hidden email]
X-Virus-Scanned: by amavisd-new at smtp.su.se
Delivered-To: [hidden email]
Resent-Sender: Debian BTS <[hidden email]>
X-Scanned-By: MIMEDefang 2.42
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
        solipsist-nation.suchdamage.org
X-Spam-Level:
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00 autolearn=ham
        version=3.0.2
MIME-Version: 1.0

Package: libkrb53
Version: 1.3.6-2

In investigating a suspicious "free(): invalid pointer" message from
ssh-krb5 3.8.1p1-7 I discovered that gss_init_sec_context() doesn't
always initialise output_token (setting output_token->length=0 would be
enough) as required by RFC 2744 section 5.19.

On the OpenSSH side, the problem is exposed by a call from
ssh_gssapi_check_mechanism() that occurs just before kex_setup(). It
would be easy to work around the problem at that point (e.g., by adding
a send_tok->length=0; in ssh_gssapi_init_ctx), but my reading of the API
specification is that gss_init_sec_context(), not the caller, is
responsible for initialising the output token.



_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs