Core produced strdup null principal name #1189

shawnmckinney · 2023-10-25T14:22:34Z

Description
A crash trying to strdup value from a (null) principal name out of a ticket.

To Reproduce
Unknown. This happened in a production env. The hosting process (slapd) crashed.

Expected behavior
Check for null before operation

System:

OS: Debian 11.8
Heimdal 7.8.0

Additional context

excerpt from backtrace:

# thread 1:
Thread 1 (Thread 0x7f3bdcbfc700 (LWP 157031)):
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
No locals.
#1  0x00007f47140c5b6f in __GI___strdup (s=0x0) at strdup.c:41
        len = <optimized out>
        new = <optimized out>
#2  0x00007f471390b55c in der_copy_general_string (from=<optimized out>, to=0x7f3b98d85fe8) at der_copy.c:44
No locals.
#3  0x00007f47138c3862 in copy_PrincipalName (from=from@entry=0x7f3b847aca00, to=to@entry=0x7f3b9b585750) at asn1_krb5_asn1.c:1019
No locals.
#4  0x00007f47138c3c8c in copy_Principal (from=from@entry=0x7f3b847aca00, to=to@entry=0x7f3b9b585750) at asn1_krb5_asn1.c:1160
No locals.
#5  0x00007f471398d6a0 in krb5_copy_principal (context=context@entry=0x7f3b9b566350, inprinc=0x7f3b847aca00, outprinc=outprinc@entry=0x7f3bdcbfb008) at principal.c:916
        p = 0x7f3b9b585750
#6  0x00007f4713960ebf in krb5_copy_creds_contents (context=0x7f3b9b566350, incred=0x7f3b8750b020, c=0x7f3bdcbfb000) at creds.c:88
        ret = 0
#7  0x00007f471395aa9b in krb5_cc_retrieve_cred (creds=0x7f3bdcbfb000, mcreds=0x7f3bdcbfaf70, whichfields=0, id=0x7f3b99c859a0, context=0x7f3b9b566350) at cache.c:802
        ret = <optimized out>
        cursor = 0x7f3b84c12430
        ret = <optimized out>
        cursor = <optimized out>
#8  krb5_cc_retrieve_cred (context=0x7f3b9b566350, id=0x7f3b99c859a0, whichfields=0, mcreds=0x7f3bdcbfaf70, creds=0x7f3bdcbfb000) at cache.c:785
        ret = <optimized out>
        cursor = <optimized out>
#9  0x00007f471395b79b in krb5_cc_get_config (context=context@entry=0x7f3b9b566350, id=id@entry=0x7f3b99c859a0, principal=principal@entry=0x0, name=name@entry=0x7f47139a1511 "start_realm", data=data@entry=0x7f3bdcbfb100) at cache.c:1458
        mcred = {client = 0x7f3b98e28f20, server = 0x7f3b99c1e0a0, session = {keytype = 0, keyvalue = {length = 0, data = 0x0}}, times = {authtime = 0, starttime = 0, endtime = 0, renew_till = 0}, ticket = {length = 0, data = 0x0}, second_ticket = {length = 0, data = 0x0}, authdata = {len = 0, val = 0x0}, addresses = {len = 0, val = 0x0}, flags = {b = {reserved = 0, forwardable = 0, forwarded = 0, proxiable = 0, proxy = 0, may_postdate = 0, postdated = 0, invalid = 0, renewable = 0, initial = 0, pre_authent = 0, hw_authent = 0, transited_policy_checked = 0, ok_as_delegate = 0, _unused14 = 0, enc_pa_rep = 0, anonymous = 0, _unused17 = 0, _unused18 = 0, _unused19 = 0, _unused20 = 0, _unused21 = 0, _unused22 = 0, _unused23 = 0, _unused24 = 0, _unused25 = 0, _unused26 = 0, _unused27 = 0, _unused28 = 0, _unused29 = 0, _unused30 = 0, _unused31 = 0}, i = 0}}
        cred = {client = 0x7f3b9b54d100, server = 0x0, session = {keytype = 0, keyvalue = {length = 0, data = 0x0}}, times = {authtime = 0, starttime = 0, endtime = 0, renew_till = 0}, ticket = {length = 0, data = 0x0}, second_ticket = {length = 0, data = 0x0}, authdata = {len = 0, val = 0x0}, addresses = {len = 0, val = 0x0}, flags = {b = {reserved = 0, forwardable = 0, forwarded = 0, proxiable = 0, proxy = 0, may_postdate = 0, postdated = 0, invalid = 0, renewable = 0, initial = 0, pre_authent = 0, hw_authent = 0, transited_policy_checked = 0, ok_as_delegate = 0, _unused14 = 0, enc_pa_rep = 0, anonymous = 0, _unused17 = 0, _unused18 = 0, _unused19 = 0, _unused20 = 0, _unused21 = 0, _unused22 = 0, _unused23 = 0, _unused24 = 0, _unused25 = 0, _unused26 = 0, _unused27 = 0, _unused28 = 0, _unused29 = 0, _unused30 = 0, _unused31 = 0}, i = 0}}
        ret = 0
#10 0x00007f471395bc0c in krb5_cc_get_lifetime (context=context@entry=0x7f3b9b566350, id=0x7f3b99c859a0, t=t@entry=0x7f3bdcbfb230) at cache.c:1740
        config_start_realm = {length = 0, data = 0x0}
        start_realm = <optimized out>
        cursor = 0x7f3b98d78738
        ret = <optimized out>
        cred = {client = 0x7f3b9b54d118, server = 0x7f3b84c3edd0, session = {keytype = 12, keyvalue = {length = 139943255759739, data = 0x7f3b875142f0}}, times = {authtime = 139893985825048, starttime = 139893650047728, endtime = 139943247656284, renew_till = 139893650047728}, ticket = {length = 139943247360128, data = 0x7f3b9b54d100}, second_ticket = {length = 13282959448892476160, data = 0x7f3bdcbfb228}, authdata = {len = 489130752, val = 0x7f3b9b54d100}, addresses = {len = 489130752, val = 0x7f3b9b54d100}, flags = {b = {reserved = 0, forwardable = 0, forwarded = 0, proxiable = 1, proxy = 1, may_postdate = 0, postdated = 0, invalid = 0, renewable = 1, initial = 0, pre_authent = 0, hw_authent = 0, transited_policy_checked = 1, ok_as_delegate = 0, _unused14 = 1, enc_pa_rep = 1, anonymous = 0, _unused17 = 0, _unused18 = 1, _unused19 = 0, _unused20 = 1, _unused21 = 0, _unused22 = 1, _unused23 = 0, _unused24 = 1, _unused25 = 1, _unused26 = 0, _unused27 = 1, _unused28 = 1, _unused29 = 0, _unused30 = 0, _unused31 = 1}, i = 2606027032}}
        now = 1698091686
        endtime = 0
#11 0x00007f471395becc in krb5_cc_cache_match (context=context@entry=0x7f3b9b566350, client=0x7f3b99c3f0a0, id=id@entry=0x7f3b98d27d78) at cache.c:1246
        principal = 0x7f3b9b54d100
        match = 1
        lifetime = 0
        cursor = 0x7f3b9888d0f0
        ret = <optimized out>
        cache = 0x7f3b99c859a0
        expired_match = 0x0
#12 0x00007f47139ff3e0 in get_ccache (id=0x7f3b98d27d78, destroy=0x7f3b98d27d90, context=0x7f3b9b566350) at ntlm/kdc.c:87
        principal = 0x7f3b99c3f0a0
        ret = 0
        kt = 0x0
        principal = <optimized out>
        ret = <optimized out>
        kt = <optimized out>
        out = <optimized out>
        cache = <optimized out>
        opt = <optimized out>
        cred = {client = <optimized out>, server = <optimized out>, session = {keytype = <optimized out>, keyvalue = {length = <optimized out>, data = <optimized out>}}, times = {authtime = <optimized out>, starttime = <optimized out>, endtime = <optimized out>, renew_till = <optimized out>}, ticket = {length = <optimized out>, data = <optimized out>}, second_ticket = {length = <optimized out>, data = <optimized out>}, authdata = {len = <optimized out>, val = <optimized out>}, addresses = {len = <optimized out>, val = <optimized out>}, flags = {b = {reserved = <optimized out>, forwardable = <optimized out>, forwarded = <optimized out>, proxiable = <optimized out>, proxy = <optimized out>, may_postdate = <optimized out>, postdated = <optimized out>, invalid = <optimized out>, renewable = <optimized out>, initial = <optimized out>, pre_authent = <optimized out>, hw_authent = <optimized out>, transited_policy_checked = <optimized out>, ok_as_delegate = <optimized out>, _unused14 = <optimized out>, enc_pa_rep = <optimized out>, anonymous = <optimized out>, _unused17 = <optimized out>, _unused18 = <optimized out>, _unused19 = <optimized out>, _unused20 = <optimized out>, _unused21 = <optimized out>, _unused22 = <optimized out>, _unused23 = <optimized out>, _unused24 = <optimized out>, _unused25 = <optimized out>, _unused26 = <optimized out>, _unused27 = <optimized out>, _unused28 = <optimized out>, _unused29 = <optimized out>, _unused30 = <optimized out>, _unused31 = <optimized out>}, i = <optimized out>}}
#13 kdc_alloc (minor=0x7f3bdcbfb66c, ctx=0x7f3b9b4bac08) at ntlm/kdc.c:176
        ret = <optimized out>
        c = 0x7f3b98d27d60
        junk = 82
#14 0x00007f47139fcbfd in _gss_ntlm_acquire_cred (min_stat=0x7f3bdcbfb66c, desired_name=0x7f3b9b45acf0, time_req=<optimized out>, desired_mechs=<optimized out>, cred_usage=2, output_cred_handle=0x7f3b99c645b8, actual_mechs=0x0, time_rec=0x7f3bdcbfb434) at ntlm/acquire_cred.c:60
        name = 0x7f3b9b45acf0
        domain = 0x0
        maj_stat = <optimized out>
        ctx = 0x7f3b9b4bac00
#15 0x00007f47139f3506 in gss_acquire_cred (minor_status=minor_status@entry=0x7f3bdcbfb66c, desired_name=0x7f3b9880fb40, time_req=time_req@entry=4294967295, desired_mechs=desired_mechs@entry=0x7f3bdcbfb500, cred_usage=cred_usage@entry=2, output_cred_handle=output_cred_handle@entry=0x7f3b99be4078, actual_mechs=0x0, time_rec=0x7f3bdcbfb5b4) at mech/gss_acquire_cred.c:125
        mn = 0x7f3b989d5620
        major_status = <optimized out>
        mechs = 0x7f3bdcbfb500
        set = {count = 1, elements = 0x7f3b9b57aaa0}
        name = 0x7f3b9880fb40
        m = 0x5573de51c638
        cred = 0x7f3b9b59df70
        mc = 0x7f3b99c645a0
        min_time = 4294967295
        cred_time = 4294967295
        i = 0
#16 0x00007f4713a01f1a in _gss_spnego_acquire_cred (minor_status=0x7f3bdcbfb66c, desired_name=<optimized out>, time_req=4294967295, desired_mechs=<optimized out>, cred_usage=2, output_cred_handle=0x7f3b99be4078, actual_mechs=0x0, time_rec=0x7f3bdcbfb5b4) at spnego/cred_stubs.c:109
        dname = <optimized out>
        name = 0x7f3b9880fb40
        ret = <optimized out>
        tmp = 32583
        actual_desired_mechs = {count = 2, elements = 0x7f3b9b57aaa0}
        mechs = 0x7f3b98db4e40
        i = <optimized out>
        j = <optimized out>
#17 0x00007f47139f3506 in gss_acquire_cred (minor_status=minor_status@entry=0x7f3bdcbfb66c, desired_name=0x7f3b9b4f7440, time_req=time_req@entry=4294967295, desired_mechs=desired_mechs@entry=0x0, cred_usage=cred_usage@entry=2, output_cred_handle=output_cred_handle@entry=0x7f3b9b41d720, actual_mechs=0x0, time_rec=0x0) at mech/gss_acquire_cred.c:125
        mn = 0x7f3b98e57bd0
        major_status = <optimized out>
        mechs = 0x5573de51c0d0
        set = {count = 1, elements = 0x5573de51c850}
        name = 0x7f3b9b4f7440
        m = 0x5573de51c3d8
        cred = 0x7f3b98dd5f10
        mc = 0x7f3b99be4060
        min_time = 4294967295
        cred_time = 0
        i = 1
#18 0x00007f4713a1a1f6 in gssapi_server_mech_authneg (oparams=0x7f3c00245350, serveroutlen=0x7f3bdcbfb808, serverout=0x7f3bdcbfb828, clientinlen=651, clientin=0x7f3b9b4bb82c "`\202\002\207\006\t*\206H\206\367\022\001\002\002\001", params=0x7f3c00384740, text=0x7f3b9b41d6f0) at gssapi.c:881
        ret = <optimized out>
        name_without_realm = {length = 139893985312848, value = 0x49}
        maj_stat = <optimized out>
        min_stat = 0
        name_token = {length = 30, value = 0x0}
        out_flags = 0
        server_creds = <optimized out>
        client_name_MN = 0x0
        input_token = 0x7f3bdcbfb690
        output_token = 0x7f3bdcbfb6a0
        real_input_token = {length = 0, value = 0x0}
        real_output_token = {length = 0, value = 0x0}
        equal = 0
        without = 0x0
        mech_type = 0x2
        input_token = <optimized out>
        output_token = <optimized out>
        real_input_token = {length = <optimized out>, value = <optimized out>}
        real_output_token = {length = <optimized out>, value = <optimized out>}
        maj_stat = <optimized out>
        min_stat = <optimized out>
        name_token = {length = <optimized out>, value = <optimized out>}
        ret = <optimized out>
        equal = <optimized out>
        out_flags = <optimized out>
        server_creds = <optimized out>
        name_without_realm = {length = <optimized out>, value = <optimized out>}
        client_name_MN = <optimized out>
        without = <optimized out>
        mech_type = <optimized out>
        __PRETTY_FUNCTION__ = "gssapi_server_mech_authneg"
        cleanup = <optimized out>
#19 gssapi_server_mech_step (conn_context=0x7f3b9b41d6f0, params=0x7f3c00384740, clientin=0x7f3b9b4bb82c "`\202\002\207\006\t*\206H\206\367\022\001\002\002\001", clientinlen=651, serverout=0x7f3bdcbfb828, serveroutlen=0x7f3bdcbfb808, oparams=0x7f3c00245350) at gssapi.c:1442
        text = 0x7f3b9b41d6f0
        ret = <optimized out>
#20 0x00007f471427ffb3 in sasl_server_step (conn=conn@entry=0x7f3c00244ae0, clientin=clientin@entry=0x7f3b9b4bb82c "`\202\002\207\006\t*\206H\206\367\022\001\002\002\001", clientinlen=clientinlen@entry=651, serverout=serverout@entry=0x7f3bdcbfb828, serveroutlen=serveroutlen@entry=0x7f3bdcbfb808) at server.c:1626
        ret = <optimized out>
        s_conn = 0x7f3c00244ae0
#21 0x00007f47142804a8 in sasl_server_start (conn=0x7f3c00244ae0, mech=<optimized out>, clientin=0x7f3b9b4bb82c "`\202\002\207\006\t*\206H\206\367\022\001\002\002\001", clientinlen=651, serverout=serverout@entry=0x7f3bdcbfb828, serveroutlen=serveroutlen@entry=0x7f3bdcbfb808) at server.c:1541
        s_conn = 0x7f3c00244ae0
        result = <optimized out>
        cur = <optimized out>
        prev = <optimized out>
        m = 0x5573de531b40
        mech_len = <optimized out>
        plus = 0
#22 0x00005573dda85851 in slap_sasl_bind (op=op@entry=0x7f3b99dc75c0, rs=rs@entry=0x7f3bdcbfb930) at sasl.c:1668
        ctx = 0x7f3c00244ae0
        response = {bv_len = 0, bv_val = 0x0}
        reslen = 0
        sc = <optimized out>

The text was updated successfully, but these errors were encountered:

nicowilliams · 2024-01-04T00:44:35Z

Any ideas on how to reproduce this? Also, what version of Heimdal is this? 7.8 or the master branch?

shawnmckinney · 2024-01-04T12:23:35Z

It's 7.8. Unfortunately, no. It happened out in the wild in one of our customer's installations.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Core produced strdup null principal name #1189

Core produced strdup null principal name #1189

shawnmckinney commented Oct 25, 2023

nicowilliams commented Jan 4, 2024

shawnmckinney commented Jan 4, 2024

Core produced strdup null principal name #1189

Core produced strdup null principal name #1189

Comments

shawnmckinney commented Oct 25, 2023

nicowilliams commented Jan 4, 2024

shawnmckinney commented Jan 4, 2024