[Bug 267097] NULL dereference in telnet kerberos5_reply()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 15 Oct 2022 18:20:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267097 Bug ID: 267097 Summary: NULL dereference in telnet kerberos5_reply() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #237350 text/plain mime type: Created attachment 237350 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237350&action=edit Fake telnet server that causes telnet to dereference NULL in kerberos5_reply() In this code in kerberos5_reply() in contrib/telnet/libtelnet/kerberos5.c: ret = krb5_auth_con_getlocalsubkey (context, auth_context, &keyblock); if(ret) { ...; return; } ...; skey.data = keyblock->keyvalue.data; krb5_auth_con_getlocalsubkey() returns 0 (success) if auth_context->local_subkey is NULL, but also sets keyblock to NULL. So the subsequent keyblock->keyvalue crashes. This can happen if the server sends IAC SB AUTHENTICATION messages in an unexpected order. Here's a toy server that demonstrates the problem: % cc telnet17b.c % sudo ./a.out & % telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. [ Trying KERBEROS5 (host/localhost@EXAMPLE.ORG)... ] Kerberos V5: mk_req failed (open(/tmp/krb5cc_5272): No such file or directory) [ Kerberos V5 accepts you ] Segmentation fault (gdb) where #0 0x0000000001042d35 in kerberos5_reply (ap=0x1048258 <authenticators+56>, data=<optimized out>, cnt=<optimized out>) at /usr/src/contrib/telnet/libtelnet/kerberos5.c:634 #1 0x000000000103f776 in auth_reply (data=<optimized out>, cnt=<optimized out>) at /usr/src/contrib/telnet/libtelnet/auth.c:491 #2 0x0000000001039a51 in suboption () at /usr/src/contrib/telnet/telnet/telnet.c:944 #3 0x000000000103900d in telrcv () at /usr/src/contrib/telnet/telnet/telnet.c:1885 #4 0x0000000001039f03 in Scheduler (block=block@entry=1) at /usr/src/contrib/telnet/telnet/telnet.c:2098 #5 0x0000000001039daa in telnet (user=user@entry=0x7fffffffec10 "rtm") at /usr/src/contrib/telnet/telnet/telnet.c:2163 #6 0x0000000001033043 in tn (argc=<optimized out>, argc@entry=2, argv=<optimized out>, argv@entry=0x7fffffffe760) at /usr/src/contrib/telnet/telnet/commands.c:2492 #7 0x0000000001036062 in main (argc=1, argv=<optimized out>) at /usr/src/contrib/telnet/telnet/main.c:370 -- You are receiving this mail because: You are the assignee for the bug.