[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#349526: openssh-server: sshd crashes with a segfault

reassign 349526 libkrb53
severity 349526 important
tags 349526 patch
thanks

On Mon, Jan 23, 2006 at 03:06:45PM -0800, Steve Langasek wrote:

> On Mon, Jan 23, 2006 at 09:29:03AM -0800, Russ Allbery wrote:
> > reassign 349526 openssh-server
> > thanks

> > Justin Pryzby <justinpryzby@users.sourceforge.net> writes:

> > > reassign 349526 libkrb53
> > > thanks

> > Please don't reassign the bug to the Kerberos libraries unless you have
> > evidence that the bug is actually in the *library* rather than in
> > openssh-server's use of Kerberos.  Given the quantity of other software in
> > Debian that hasn't started segfaulting, it seems more likely that
> > something in openssh-server specifically is at fault.  At the least, I
> > think a little more investigation is needed before we can be sure that
> > it's a Kerberos library bug.

> Agreed.  FWIW, I was also seeing complementary errors with openssh-*client*
> whenever I had a valid ccache and tried to ssh to a system that doesn't
> accept Kerberos, but I'm not able to reproduce those errors now; possibly
> the errors went away when kerberos 1.4.3 hit testing...

Hey, so I guess forgetting that you've created a zero-length
/etc/krb5.keytab for testing on a system that you're later trying to convert
to use pam_krb5 is a good way to motivate oneself to find and fix this
bug...

It turns out that the problem is buggy handling of fread() in
src/lib/krb5/keytab/kt_file.c; the code assumes that fread only returns 0
upon error, when it can, of course, also return 0 if there are 0 bytes to be
read. :)  So it sets kerror to 0 (errno), closes the file but doesn't
completely clean up, and the FILE* gets double-freed.

Possible patch attached, reassigned and downgraded.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

diff -u krb5-1.4.3/debian/changelog krb5-1.4.3/debian/changelog
--- krb5-1.4.3/debian/changelog
+++ krb5-1.4.3/debian/changelog
@@ -1,3 +1,10 @@
+krb5 (1.4.3-6.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix incorrect check for return value of xfread().
+
+ -- Steve Langasek <vorlon@debian.org>  Mon, 13 Mar 2006 23:38:02 -0800
+
 krb5 (1.4.3-6) unstable; urgency=low
 
   * Assume krb5 in krb5_gss_canonicalize_name if the null mechanism is
only in patch2:
unchanged:
--- krb5-1.4.3.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.4.3/src/lib/krb5/keytab/kt_file.c
@@ -1108,6 +1108,8 @@
 	/* gotta verify it instead... */
 	if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
 	    kerror = errno;
+	    if (!kerror)
+		kerror = EIO;
 	    (void) krb5_unlock_file(context, fileno(KTFILEP(id)));
 	    (void) fclose(KTFILEP(id));
 	    return kerror;

Attachment: signature.asc
Description: Digital signature

Reply to: