dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0152-KRB5-Fix-access_provider-krb5.patch

bb7cd1
From 3ee575c2852adb9d5a5c0a4616c082afc6779a8e Mon Sep 17 00:00:00 2001
bb7cd1
From: Jakub Hrozek <jhrozek@redhat.com>
bb7cd1
Date: Thu, 1 Jun 2017 09:51:31 +0200
bb7cd1
Subject: [PATCH 152/152] KRB5: Fix access_provider=krb5
bb7cd1
MIME-Version: 1.0
bb7cd1
Content-Type: text/plain; charset=UTF-8
bb7cd1
Content-Transfer-Encoding: 8bit
bb7cd1
bb7cd1
The domain type (posix or not) was being sent to the krb5_child always,
bb7cd1
but the buffer only had enough space in case of authentication, not
bb7cd1
authorization. Bug was introduced in the commit
bb7cd1
  861ab44e8148208425b67c4711bc8fade10fd3ed
bb7cd1
bb7cd1
This patch makes the buffer one uint32_t unit larger.
bb7cd1
bb7cd1
To reproduce, just set up sssd.conf with:
bb7cd1
    access_provider = krb5
bb7cd1
bb7cd1
Without the patch, you would see messages like:
bb7cd1
    ==14111== Invalid write of size 2
bb7cd1
    ==14111==    at 0x4C3041B: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
bb7cd1
    ==14111==    by 0xE0EE275: safealign_memcpy (util_safealign.h:51)
bb7cd1
    ==14111==    by 0xE0EECB3: create_send_buffer (krb5_child_handler.c:239)
bb7cd1
    ==14111==    by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
bb7cd1
    ==14111==    by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
bb7cd1
    ==14111==    by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
bb7cd1
    ==14111==    by 0x418868: file_dp_request (dp_request.c:254)
bb7cd1
    ==14111==    by 0x418976: dp_req_send (dp_request.c:300)
bb7cd1
    ==14111==    by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
bb7cd1
    ==14111==    by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
bb7cd1
    ==14111==    by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
bb7cd1
    ==14111==    by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
bb7cd1
    ==14111==  Address 0x126ab506 is 150 bytes inside a block of size 151 alloc'd
bb7cd1
    ==14111==    at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
bb7cd1
    ==14111==    by 0x944D7F4: __talloc_with_prefix (talloc.c:698)
bb7cd1
    ==14111==    by 0x944D7F4: __talloc (talloc.c:739)
bb7cd1
    ==14111==    by 0x944D7F4: _talloc_named_const (talloc.c:896)
bb7cd1
    ==14111==    by 0x944D7F4: talloc_named_const (talloc.c:1675)
bb7cd1
    ==14111==    by 0xE0EE7B6: create_send_buffer (krb5_child_handler.c:185)
bb7cd1
    ==14111==    by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
bb7cd1
    ==14111==    by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
bb7cd1
    ==14111==    by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
bb7cd1
    ==14111==    by 0x418868: file_dp_request (dp_request.c:254)
bb7cd1
    ==14111==    by 0x418976: dp_req_send (dp_request.c:300)
bb7cd1
    ==14111==    by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
bb7cd1
    ==14111==    by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
bb7cd1
    ==14111==    by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
bb7cd1
    ==14111==    by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
bb7cd1
bb7cd1
Resolves:
bb7cd1
https://pagure.io/SSSD/sssd/issue/3418
bb7cd1
bb7cd1
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
bb7cd1
---
bb7cd1
 src/providers/krb5/krb5_child_handler.c | 4 ++--
bb7cd1
 1 file changed, 2 insertions(+), 2 deletions(-)
bb7cd1
bb7cd1
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
bb7cd1
index 87e79a06e917aadb622455bccfc2e9c6769f70c2..11ac867e62d2ff96b827cf6d4ff341fc8ff0a286 100644
bb7cd1
--- a/src/providers/krb5/krb5_child_handler.c
bb7cd1
+++ b/src/providers/krb5/krb5_child_handler.c
bb7cd1
@@ -156,14 +156,14 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
bb7cd1
         return ENOMEM;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    buf->size = 8*sizeof(uint32_t) + strlen(kr->upn);
bb7cd1
+    buf->size = 9*sizeof(uint32_t) + strlen(kr->upn);
bb7cd1
 
bb7cd1
     if (kr->pd->cmd == SSS_PAM_AUTHENTICATE ||
bb7cd1
         kr->pd->cmd == SSS_PAM_PREAUTH ||
bb7cd1
         kr->pd->cmd == SSS_CMD_RENEW ||
bb7cd1
         kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
bb7cd1
         kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
bb7cd1
-        buf->size += 5*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
bb7cd1
+        buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
bb7cd1
                      sss_authtok_get_size(kr->pd->authtok);
bb7cd1
 
bb7cd1
         buf->size += sizeof(uint32_t);
bb7cd1
-- 
bb7cd1
2.9.4
bb7cd1