209529 – double free or corruption when kerberos ticket present.

Bug 209529 - double free or corruption when kerberos ticket present.

Summary: double free or corruption when kerberos ticket present.

Keywords:
Status:	CLOSED DUPLICATE of bug 208102
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	5
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-10-05 20:11 UTC by Pawel Salek
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-10-06 08:00:28 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pawel Salek 2006-10-05 20:11:52 UTC

Description of problem:
ssh client crashes if it runs on a host that has a kerberos ticket present even
if kerberos is not used for authentication.

Version-Release number of selected component (if applicable):
openssh-clients-4.3p2-4.10

How reproducible:
Always.

Steps to Reproduce:
1. kinit miffo.SE
2. ssh -v example.com
  
Actual results:
[snip]
debug1: Host 'example.com' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
*** glibc detected *** ssh: double free or corruption (top): 0x08263d30 ***
======= Backtrace: =========
/lib/libc.so.6[0x1a71cd]
/lib/libc.so.6(cfree+0x90)[0x1a7360]
/usr/lib/libkrb5.so.3(krb5_free_cred_contents+0x8d)[0x81cbbd]
/usr/lib/libkrb5.so.3(krb5_free_creds+0x29)[0x81cc49]
/usr/lib/libkrb5.so.3(krb5_free_tgt_creds+0x2e)[0x81cc8e]
/usr/lib/libkrb5.so.3(krb5_get_credentials+0x1dc)[0x8173dc]
/usr/lib/libgssapi_krb5.so.2(krb5_gss_init_sec_context+0xab9)[0xc8ef19]
/usr/lib/libgssapi_krb5.so.2(gss_init_sec_context+0x71)[0xc93511]
ssh[0x48cac3]
ssh[0x48cc9c]
ssh[0x46edad]
ssh[0x46ef5d]
ssh[0x46f62a]
ssh[0x4869ab]
ssh[0x46faed]
ssh[0x469f81]
ssh(main+0x1007)[0x4612c7]
/lib/libc.so.6(__libc_start_main+0xdc)[0x15723c]
ssh[0x45f581]

Expected results:
One should be able to log in to the host.

Additional info:
The KDC has strong Heimdal preference but I guess everybody knows that. Still,
only Fedora software runs on the client so one cannot blame it on KDC.
Destroying the ticket fixes the problem, the following output appears:
[snip]
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1: Next authentication method: publickey

So, my first guess is that the recent credential caching code has not been
thoroughly tested...

Comment 1 Tomas Mraz 2006-10-06 08:00:28 UTC


*** This bug has been marked as a duplicate of 208102 ***

Note You need to log in before you can comment on or make changes to this bug.