[Bug 268062] zero-length client request causes kadmind to use pointers in freed memory

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 268062] zero-length client request causes kadmind to use pointers in freed memory"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 29 Nov 2022 17:07:05 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268062

            Bug ID: 268062
           Summary: zero-length client request causes kadmind to use
                    pointers in freed memory
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #238427 text/plain
         mime type:

Created attachment 238427
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=238427&action=edit
send a zero-length request to kadmind that causes it to use pointers from freed
memory

If a client send kadmind a zero-length message, kadmind_dispatch()
sees the error:

    ret = krb5_ret_int32(sp, &cmd);
    if (ret) {
        krb5_storage_free(sp);
        goto fail;
    }

but then calls through a pointer from the freed sp:

fail:
    ...;
    krb5_storage_seek(sp, 0, SEEK_SET);

KRB5_LIB_FUNCTION off_t KRB5_LIB_CALL
krb5_storage_seek(krb5_storage *sp, off_t offset, int whence)
{
    return (*sp->seek)(sp, offset, whence);
}

I've attached a demo; valgrind or a debugging malloc are required to
reliably see the error:

# cc kadmind18b.c -lkrb5
# ./a.out

This is with source from git from this morning (Nov 29).

-- 
You are receiving this mail because:
You are the assignee for the bug.