NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/55145: kadmin mis-parses commands that include '\' escape characters
>Number: 55145
>Category: bin
>Synopsis: kadmin mis-parses commands that include '\' escape characters
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Apr 06 05:45:00 +0000 2020
>Originator: Duncan McEwan
>Release: NetBSD 8.1_STABLE
>Organization:
School of Engineering and Computer Science,
Victoria University of Wellington
>Environment:
System: NetBSD turakirae.ecs.vuw.ac.nz 8.1_STABLE NetBSD 8.1_STABLE (GENERIC) #4: Sun Jan 12 17:21:45 NZDT 2020 mark%turakirae.ecs.vuw.ac.nz@localhost:/local/SAVE/8_64.obj/src/work/8/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
If you run kadmin (or kadmin -l) in interactive mode and enter command line
parameters containing '\' escape characters, in some circumstances the command
is not parsed correctly.
>How-To-Repeat:
For eg:
* Try to include the character sequence '\"' in a password
kdc# kadmin -l
kadmin> cpw --password="xxx\\\"yyy" duncan
sl_loop: out of memory
kadmin> cpw --password=xxx\\"yyy duncan
kadmin>
I think the 2nd case above only succeeds due to the bug - it should fail
because of the unescaped '"' character.
* Try to end a password with '"'
kdc# kadmin -l
kadmin> cpw --password="xxx\"" duncan
sl_loop: out of memory
kadmin> cpw --password=xxx\" duncan
Arguments given (0) are less than expected (1).
Usage: passwd [-rh] [--random-key] [--random-password] [--password=string]
[-p string] [--key=string] [--help] principal...
-r, --random-key set random key
--random-password set random password
-p string, --password=string princial's password
--key=string DES key in hex
* Try to include spaces in a password using '\' escapes rather than "..."
kdc# kadmin -l
kadmin> cpw --password=xxx\ yyy duncan
kadmin> cpw --password=xxx\\ yyy duncan
kadmin> cpw --password=xxx\\\ yyy duncan
kadmin: cpw yyy: Principal does not exist
kadmin> cpw --password=xxx\ \ yyy duncan
kadmin: cpw yyy: Principal does not exist
kadmin>
In the above the 2nd case should result in the error of the 3rd since there's
an unescaped ' '. The 3rd case should work.
>Fix:
The above failures are all caused by an off-by-one error in
src/crypto/external/bsd/heimdal/dist/lib/sl/sl.c.
--- src/crypto/external/bsd/heimdal/dist/lib/sl/sl.c.orig 2017-10-21 19:21:49.292484114 +1300
+++ src/crypto/external/bsd/heimdal/dist/lib/sl/sl.c 2020-04-06 15:14:06.832183226 +1200
@@ -250,7 +250,7 @@
if (p[1] == '\0')
goto failed;
memmove(&p[0], &p[1], strlen(&p[1]) + 1);
- p += 2;
+ p += 1;
continue;
} else if (quote || !isspace((unsigned char)*p)) {
p++;
I added some extra test cases to test_sl.c. With the original code these all
fail. With the above patch the original and these additional tests all pass.
--- src/crypto/external/bsd/heimdal/dist/lib/sl/test_sl.c.orig 2017-10-21 19:21:49.294261371 +1300
+++ src/crypto/external/bsd/heimdal/dist/lib/sl/test_sl.c 2020-04-06 16:05:01.408434086 +1200
@@ -60,6 +60,9 @@
{ 1, "\"foo bar baz\"", 1, { "foo bar baz" }},
{ 1, "\\\"foo bar baz", 3, { "\"foo", "bar", "baz" }},
{ 1, "\\ foo bar baz", 3, { " foo", "bar", "baz" }},
+ { 1, "foo\\\\\\\"barbaz", 1, { "foo\\\"barbaz" }},
+ { 1, "foobar\\\" baz", 2, { "foobar\"", "baz" }},
+ { 1, "foobar\\ \\ baz", 1, { "foobar baz" }},
{ 0, "\\", 0, { "" }},
{ 0, "\"", 0, { "" }}
};
Home |
Main Index |
Thread Index |
Old Index