[Bug 267912] kadmind dereferences NULL if client sends mangled realm message

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267912] kadmind dereferences NULL if client sends mangled realm message"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267912] kadmind dereferences NULL if client sends mangled realm message"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 21 Nov 2022 23:13:31 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267912

            Bug ID: 267912
           Summary: kadmind dereferences NULL if client sends mangled
                    realm message
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #238235 text/plain
         mime type:

Created attachment 238235
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=238235&action=edit
crash kadmind with a missing realm string

kadmind's handle_v5() reads a client message that can optionally
contain the realm name:

    if(kadm_version == 1) {
        krb5_data params;
        ret = krb5_read_priv_message(contextp, ac, &fd, &params);
        if(ret)
            krb5_err(contextp, 1, ret, "krb5_read_priv_message");
        _kadm5_unmarshal_params(contextp, &params, &realm_params);
    }

If the client sends a mask containing KADM5_CONFIG_REALM, but the
client's message stops too early, realm_params.mask will have that bit
set, but realm_params.realm will be NULL. _kadm5_unmarshal_params()
returns an error in this case, but handle_b5() doesn't check its
return value.

Later, _kadm5_s_init_context() says

#define is_set(M) (params && params->mask & KADM5_CONFIG_ ## M)
    if(is_set(REALM))
        (*ctx)->config.realm = strdup(params->realm);

The bit is set, so strdup() crashes.

I've attached a demo program. It must be run on a system with kdc and
kadmind running, and the user must have tickets.

Here's a backtrace:

#0  strlen (str=<optimized out>)
    at /usr/rtm/symbsd/src/lib/libc/string/strlen.c:94
#1  0x00000006afe04f48 in strdup (str=0x0)
    at /usr/rtm/symbsd/src/lib/libc/string/strdup.c:48
#2  0x00000006ac04b270 in _kadm5_s_init_context (ctx=0x6aa2d9fd8, 
    params=0x6aa2da030, context=0x6b9381e10)
    at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/context_s.c:153
#3  0x00000006ac04c90a in kadm5_s_init_with_context (context=0x0, 
    client_name=0x6b93cec50 "root@EXAMPLE.ORG", service_name=<optimized out>, 
    realm_params=0x6afcc8fd8, struct_version=<optimized out>, 
    api_version=<optimized out>, server_handle=0x6aa2da078)
    at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/init_s.c:50
#4  0x00000006ac04c8dc in kadm5_s_init_with_password_ctx (context=0x0, 
    client_name=0x6afcc8fd8
"\377\376\376\376\376\376\376\376environmUUUUUUUU\333\064\266×\336\033CaCoc\247\207\322?hfffffff\213\200", 
    password=<optimized out>, service_name=<optimized out>, realm_params=0x0, 
    struct_version=<optimized out>, api_version=<optimized out>, 
    server_handle=0x186db)
    at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/init_s.c:104
#5  0x0000000629fe5d72 in handle_v5 (contextp=<optimized out>, 
    keytab=<optimized out>, fd=<optimized out>)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:539
#6  0x0000000629fe5c96 in kadmind_loop (contextp=0x6b9381e10,

-- 
You are receiving this mail because:
You are the assignee for the bug.