|
Bugzilla – Full Text Bug Listing |
| Summary: | The OpenSuSE version of krb5 1.9 has introduced a bug that causes denial of service. | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 12.1 | Reporter: | Tom Parker <tparker> |
| Component: | Network | Assignee: | Michael Calmer <mc> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | tparker |
| Version: | Final | ||
| Target Milestone: | Final | ||
| Hardware: | All | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Thanks for the report. The fix is already commited in the devel project for FACTORY. (https://build.opensuse.org/package/files?package=krb5&project=network) It will go out with the next update for 12.1 Thanks for the Fix. I am using the Build Services versions and I can confirm that they are fixed. Thanks for confirming that the fix is working. Fix submitted to openSUSE 12.1 for update. Closing as fixed. This is an autogenerated message for OBS integration: This bug (731648) was mentioned in https://build.opensuse.org/request/show/95685 12.1 / krb5 https://build.opensuse.org/request/show/95686 Factory / krb5 |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0 I have found a bug in the current version of the krb5 client side libraries that suse is packaging that can cause a denial of service in a multi-KDC setup where one of the KDC processes is down. If one KDC is down the client will be unable to authenticate to any of the other KDCs until either the server hosting the KDC process is brought down or the KDC process is restarted. The packagers at Red Hat said: That looks like a bug that we ran into when the send-to-kdc code was reworked to use poll() (RT#6905) and we pulled it from trunk to add to our 1.9 and 1.9.1 binary packages. The fix was RT#6951. We ran into another case, too, but by then that part of the library had been reworked again so that trunk didn't need the fix, so I didn't open a ticket for it. I'll append the patch for it below. HTH, Nalin If we exit the transmit loop cleanly, don't overestimate the size of the connections array. This bug appears to have been removed upstream when this function was rewritten in trunk, and the select()-based implementation is still what's in 1.9, so this patch has nowhere to go. --- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400 +++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400 @@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co call with the last one from the above loop, if the loop actually calls select. */ sel_state->end_time.tv_sec += delay_this_pass; - e = service_fds(context, sel_state, conns, host+1, &winning_conn, + i = host+1; + if (i > n_conns) + i = n_conns; + e = service_fds(context, sel_state, conns, i, &winning_conn, sel_state+1, msg_handler, msg_handler_data); if (e) break; Reproducible: Always Steps to Reproduce: 1. Set up a multi KDC Kerberos REALM and use SRV records to publish KDC locations 2. Stop the KDC service on one of the nodes. (Do not shut down server, Just have nothing listening on the port) 3. Kinit will now fail. Actual Results: Kinit fails with: kinit: sendto_kdc.c:617: cm_get_ssflags: Assertion `i < selstate->nfds' failed. Expected Results: Successful kinit against active KDC