[Bug 267884] kadmind can read beyond the end of an incoming message's buffer
Date: Sun, 20 Nov 2022 20:50:58 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267884
Bug ID: 267884
Summary: kadmind can read beyond the end of an incoming
message's buffer
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Attachment #238198 text/plain
mime type:
Created attachment 238198
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=238198&action=edit
send a non-null-terminated appl_version to kadmind
kadmind's handle_v5() calls krb_recvauth_match_version(), which
contains:
n = krb5_net_read (context, p_fd, &len, 4);
...;
len = ntohl(len);
her_appl_version = malloc (len);
if (krb5_net_read (context, p_fd, her_appl_version, len) != len
|| !(*match_appl_version)(match_data, her_appl_version)) {
repl = 2;
krb5_net_write (context, p_fd, &repl, 1);
krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS,
N_("wrong sendauth version (%s)", ""),
her_appl_version);
The code does not check that the incoming message in her_appl_version
is null terminated, which can cause trouble for match_appl_version()'s
call to sscanf, and krb5_set_error_message's use of her_apply_version.
This is with CURRENT source from today (Nov 20 2022).
I've attached a demo. Since there's often a null somewhere soon after
the end of the allocated buffer, the problem is only reliably visible
with something like valgrind:
# /usr/libexec/kadmind --version
kadmind (Heimdal 1.5.2)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs@h5l.org
# valgrind /usr/libexec/kadmind --debug &
# cc kadmind3a.c
# ./a.out
==67648== Memcheck, a memory error detector
==67648== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==67648== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==67648== Command: /usr/libexec/kadmind --debug
==67648==
==67648== Invalid read of size 1
==67648== at 0x4852EE9: strlen (in
/usr/local/libexec/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==67648== by 0x4A596BC: vsscanf (in /lib/libc.so.7)
==67648== by 0x4A4C72C: sscanf (in /lib/libc.so.7)
==67648== by 0x112677: ??? (in /usr/libexec/kadmind)
==67648== by 0x4907BE6: krb5_recvauth_match_version (in
/usr/lib/libkrb5.so.11)
==67648== by 0x1114CD: ??? (in /usr/libexec/kadmind)
==67648== by 0x112978: ??? (in /usr/libexec/kadmind)
==67648== by 0x10D16C: ??? (in /usr/libexec/kadmind)
==67648== by 0x4823007: ???
==67648== Address 0x5b463b6 is 0 bytes after a block of size 150 alloc'd
==67648== at 0x484C8A4: malloc (in
/usr/local/libexec/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==67648== by 0x4907BA9: krb5_recvauth_match_version (in
/usr/lib/libkrb5.so.11)
==67648== by 0x1114CD: ??? (in /usr/libexec/kadmind)
==67648== by 0x112978: ??? (in /usr/libexec/kadmind)
==67648== by 0x10D16C: ??? (in /usr/libexec/kadmind)
==67648== by 0x4823007: ???
--
You are receiving this mail because:
You are the assignee for the bug.