Date: Tue, 29 Nov 2022 17:07:05 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268062] zero-length client request causes kadmind to use pointers in freed memory Message-ID: <bug-268062-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268062 Bug ID: 268062 Summary: zero-length client request causes kadmind to use pointers in freed memory Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #238427 text/plain mime type: Created attachment 238427 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D238427&action= =3Dedit send a zero-length request to kadmind that causes it to use pointers from f= reed memory If a client send kadmind a zero-length message, kadmind_dispatch() sees the error: ret =3D krb5_ret_int32(sp, &cmd); if (ret) { krb5_storage_free(sp); goto fail; } but then calls through a pointer from the freed sp: fail: ...; krb5_storage_seek(sp, 0, SEEK_SET); KRB5_LIB_FUNCTION off_t KRB5_LIB_CALL krb5_storage_seek(krb5_storage *sp, off_t offset, int whence) { return (*sp->seek)(sp, offset, whence); } I've attached a demo; valgrind or a debugging malloc are required to reliably see the error: # cc kadmind18b.c -lkrb5 # ./a.out This is with source from git from this morning (Nov 29). --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268062-227>