bin/55145: kadmin mis-parses commands that include '\' escape characters

[duncan%ecs.vuw.ac.nz@localhost]

>Number:         55145
>Category:       bin
>Synopsis:       kadmin mis-parses commands that include '\' escape characters
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 06 05:45:00 +0000 2020
>Originator:     Duncan McEwan
>Release:        NetBSD 8.1_STABLE
>Organization:
	School of Engineering and Computer Science,
        Victoria University of Wellington
>Environment:
System: NetBSD turakirae.ecs.vuw.ac.nz 8.1_STABLE NetBSD 8.1_STABLE (GENERIC) #4: Sun Jan 12 17:21:45 NZDT 2020 mark%turakirae.ecs.vuw.ac.nz@localhost:/local/SAVE/8_64.obj/src/work/8/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
If you run kadmin (or kadmin -l) in interactive mode and enter command line
parameters containing '\' escape characters, in some circumstances the command
is not parsed correctly.
>How-To-Repeat:
For eg:

* Try to include the character sequence '\"' in a password

kdc# kadmin -l
kadmin> cpw --password="xxx\\\"yyy" duncan
sl_loop: out of memory
kadmin> cpw --password=xxx\\"yyy duncan
kadmin>

I think the 2nd case above only succeeds due to the bug - it  should fail
because of the unescaped '"' character.

* Try to end a password with '"'

kdc# kadmin -l
kadmin> cpw --password="xxx\"" duncan
sl_loop: out of memory
kadmin> cpw --password=xxx\" duncan
Arguments given (0) are less than expected (1).

Usage: passwd [-rh] [--random-key] [--random-password] [--password=string]
   [-p string] [--key=string] [--help] principal...
   -r, --random-key             set random key
   --random-password            set random password
   -p string, --password=string princial's password
   --key=string                 DES key in hex

* Try to include spaces in a password using '\' escapes rather than "..."

kdc# kadmin -l
kadmin> cpw --password=xxx\ yyy duncan
kadmin> cpw --password=xxx\\ yyy duncan
kadmin> cpw --password=xxx\\\ yyy duncan
kadmin: cpw yyy: Principal does not exist
kadmin> cpw --password=xxx\ \ yyy duncan
kadmin: cpw  yyy: Principal does not exist
kadmin>

In the above the 2nd case should result in the error of the 3rd since there's
an unescaped ' '.  The 3rd case should work.

>Fix:
The above failures are all caused by an off-by-one error in
src/crypto/external/bsd/heimdal/dist/lib/sl/sl.c.

--- src/crypto/external/bsd/heimdal/dist/lib/sl/sl.c.orig  2017-10-21 19:21:49.292484114 +1300
+++ src/crypto/external/bsd/heimdal/dist/lib/sl/sl.c   2020-04-06 15:14:06.832183226 +1200
@@ -250,7 +250,7 @@
            if (p[1] == '\0')
                goto failed;
            memmove(&p[0], &p[1], strlen(&p[1]) + 1);
-           p += 2;
+           p += 1;
            continue;
        } else if (quote || !isspace((unsigned char)*p)) {
            p++;

I added some extra test cases to test_sl.c.  With the original code these all
fail.  With the above patch the original and these additional tests all pass.

--- src/crypto/external/bsd/heimdal/dist/lib/sl/test_sl.c.orig   2017-10-21 19:21:49.294261371 +1300
+++ src/crypto/external/bsd/heimdal/dist/lib/sl/test_sl.c   2020-04-06 16:05:01.408434086 +1200
@@ -60,6 +60,9 @@
     { 1, "\"foo bar baz\"", 1, { "foo bar baz" }},
     { 1, "\\\"foo bar baz", 3, { "\"foo", "bar", "baz" }},
     { 1, "\\ foo bar baz", 3, { " foo", "bar", "baz" }},
+    { 1, "foo\\\\\\\"barbaz", 1, { "foo\\\"barbaz" }},
+    { 1, "foobar\\\" baz", 2, { "foobar\"", "baz" }},
+    { 1, "foobar\\ \\ baz", 1, { "foobar  baz" }},
     { 0, "\\", 0, { "" }},
     { 0, "\"", 0, { "" }}
 };