Created attachment 238427 [details] send a zero-length request to kadmind that causes it to use pointers from freed memory If a client send kadmind a zero-length message, kadmind_dispatch() sees the error: ret = krb5_ret_int32(sp, &cmd); if (ret) { krb5_storage_free(sp); goto fail; } but then calls through a pointer from the freed sp: fail: ...; krb5_storage_seek(sp, 0, SEEK_SET); KRB5_LIB_FUNCTION off_t KRB5_LIB_CALL krb5_storage_seek(krb5_storage *sp, off_t offset, int whence) { return (*sp->seek)(sp, offset, whence); } I've attached a demo; valgrind or a debugging malloc are required to reliably see the error: # cc kadmind18b.c -lkrb5 # ./a.out This is with source from git from this morning (Nov 29).
Created attachment 238463 [details] heimdal: Fix bus fault when zero-length request received bob# MALLOC_CONF='junk:true' /usr/libexec/kadmind --debug 2022-11-30T16:30:58 krb5_read_priv_message: End of file bob#
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6742ff42ab3b6e65239f975314060b1393e22d62 commit 6742ff42ab3b6e65239f975314060b1393e22d62 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-12-01 00:11:18 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-01 14:24:12 +0000 heimdal: Fix bus fault when zero-length request received Zero length client requests result in a bus fault when attempting to free malloc()ed pointers within the requests softc. Return an error when the request is zero length. PR: 268062 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days crypto/heimdal/lib/krb5/read_message.c | 5 +++++ 1 file changed, 5 insertions(+)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=95240a65fb18985378988d5077fbac43fba30c5c commit 95240a65fb18985378988d5077fbac43fba30c5c Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-12-01 00:11:18 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-05 21:50:28 +0000 heimdal: Fix bus fault when zero-length request received Zero length client requests result in a bus fault when attempting to free malloc()ed pointers within the requests softc. Return an error when the request is zero length. PR: 268062 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 6742ff42ab3b6e65239f975314060b1393e22d62) crypto/heimdal/lib/krb5/read_message.c | 5 +++++ 1 file changed, 5 insertions(+)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=78d44cb4b533af106f5cf1ef1603fb1f08f9594a commit 78d44cb4b533af106f5cf1ef1603fb1f08f9594a Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-12-01 00:11:18 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-05 21:50:44 +0000 heimdal: Fix bus fault when zero-length request received Zero length client requests result in a bus fault when attempting to free malloc()ed pointers within the requests softc. Return an error when the request is zero length. PR: 268062 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 6742ff42ab3b6e65239f975314060b1393e22d62) crypto/heimdal/lib/krb5/read_message.c | 5 +++++ 1 file changed, 5 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3deefb0d147d71047a13ec2328b1b721da2ce256 commit 3deefb0d147d71047a13ec2328b1b721da2ce256 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-12-08 23:22:43 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-09 14:09:54 +0000 heimdal: Properly ix bus fault when zero-length request received Zero length client requests result in a bus fault when attempting to free malloc()ed pointers within the requests softc. Return an error when the request is zero length. This properly fixes PR/268062 without regressions. PR: 268062 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days crypto/heimdal/kadmin/server.c | 2 ++ 1 file changed, 2 insertions(+)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=08c3ed3469de06199b1a8e2176df3c2e802b0519 commit 08c3ed3469de06199b1a8e2176df3c2e802b0519 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-12-08 23:22:43 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-12 14:40:33 +0000 heimdal: Properly ix bus fault when zero-length request received Zero length client requests result in a bus fault when attempting to free malloc()ed pointers within the requests softc. Return an error when the request is zero length. This properly fixes PR/268062 without regressions. PR: 268062 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 3deefb0d147d71047a13ec2328b1b721da2ce256) crypto/heimdal/kadmin/server.c | 2 ++ 1 file changed, 2 insertions(+)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=a8970f585cdfca3ce8b22a4921a9490b592ef4ff commit a8970f585cdfca3ce8b22a4921a9490b592ef4ff Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-12-08 23:22:43 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-12 14:41:17 +0000 heimdal: Properly ix bus fault when zero-length request received Zero length client requests result in a bus fault when attempting to free malloc()ed pointers within the requests softc. Return an error when the request is zero length. This properly fixes PR/268062 without regressions. PR: 268062 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 3deefb0d147d71047a13ec2328b1b721da2ce256) crypto/heimdal/kadmin/server.c | 2 ++ 1 file changed, 2 insertions(+)
Fixed.