Date: Sun, 20 Nov 2022 20:50:58 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 267884] kadmind can read beyond the end of an incoming message's buffer Message-ID: <bug-267884-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267884 Bug ID: 267884 Summary: kadmind can read beyond the end of an incoming message's buffer Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #238198 text/plain mime type: Created attachment 238198 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D238198&action= =3Dedit send a non-null-terminated appl_version to kadmind kadmind's handle_v5() calls krb_recvauth_match_version(), which contains: n =3D krb5_net_read (context, p_fd, &len, 4); ...; len =3D ntohl(len); her_appl_version =3D malloc (len); if (krb5_net_read (context, p_fd, her_appl_version, len) !=3D len || !(*match_appl_version)(match_data, her_appl_version)) { repl =3D 2; krb5_net_write (context, p_fd, &repl, 1); krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS, N_("wrong sendauth version (%s)", ""), her_appl_version); The code does not check that the incoming message in her_appl_version is null terminated, which can cause trouble for match_appl_version()'s call to sscanf, and krb5_set_error_message's use of her_apply_version. This is with CURRENT source from today (Nov 20 2022). I've attached a demo. Since there's often a null somewhere soon after the end of the allocated buffer, the problem is only reliably visible with something like valgrind: # /usr/libexec/kadmind --version kadmind (Heimdal 1.5.2) Copyright 1995-2011 Kungliga Tekniska H=C3=83=C2=B6gskolan Send bug-reports to heimdal-bugs@h5l.org # valgrind /usr/libexec/kadmind --debug & # cc kadmind3a.c # ./a.out =3D=3D67648=3D=3D Memcheck, a memory error detector =3D=3D67648=3D=3D Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward = et al. =3D=3D67648=3D=3D Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyr= ight info =3D=3D67648=3D=3D Command: /usr/libexec/kadmind --debug =3D=3D67648=3D=3D=20 =3D=3D67648=3D=3D Invalid read of size 1 =3D=3D67648=3D=3D at 0x4852EE9: strlen (in /usr/local/libexec/valgrind/vgpreload_memcheck-amd64-freebsd.so) =3D=3D67648=3D=3D by 0x4A596BC: vsscanf (in /lib/libc.so.7) =3D=3D67648=3D=3D by 0x4A4C72C: sscanf (in /lib/libc.so.7) =3D=3D67648=3D=3D by 0x112677: ??? (in /usr/libexec/kadmind) =3D=3D67648=3D=3D by 0x4907BE6: krb5_recvauth_match_version (in /usr/lib/libkrb5.so.11) =3D=3D67648=3D=3D by 0x1114CD: ??? (in /usr/libexec/kadmind) =3D=3D67648=3D=3D by 0x112978: ??? (in /usr/libexec/kadmind) =3D=3D67648=3D=3D by 0x10D16C: ??? (in /usr/libexec/kadmind) =3D=3D67648=3D=3D by 0x4823007: ??? =3D=3D67648=3D=3D Address 0x5b463b6 is 0 bytes after a block of size 150 a= lloc'd =3D=3D67648=3D=3D at 0x484C8A4: malloc (in /usr/local/libexec/valgrind/vgpreload_memcheck-amd64-freebsd.so) =3D=3D67648=3D=3D by 0x4907BA9: krb5_recvauth_match_version (in /usr/lib/libkrb5.so.11) =3D=3D67648=3D=3D by 0x1114CD: ??? (in /usr/libexec/kadmind) =3D=3D67648=3D=3D by 0x112978: ??? (in /usr/libexec/kadmind) =3D=3D67648=3D=3D by 0x10D16C: ??? (in /usr/libexec/kadmind) =3D=3D67648=3D=3D by 0x4823007: ??? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-267884-227>