Bug 731648 - The OpenSuSE version of krb5 1.9 has introduced a bug that causes denial of service.
The OpenSuSE version of krb5 1.9 has introduced a bug that causes denial of s...
Classification: openSUSE
Product: openSUSE 12.1
Classification: openSUSE
Component: Network
All Other
: P3 - Medium : Major (vote)
: Final
Assigned To: Michael Calmer
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2011-11-21 09:22 UTC by Tom Parker
Modified: 2015-02-18 23:50 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tom Parker 2011-11-21 09:22:52 UTC
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0

I have found a bug in the current version of the krb5 client side
libraries that suse is packaging that can cause a denial of service in
a multi-KDC setup where one of the KDC processes is down.  If one KDC
is down the client will be unable to authenticate to any of the other
KDCs until either the server hosting the KDC process is brought down
or the KDC process is restarted.

The packagers at Red Hat said:

That looks like a bug that we ran into when the send-to-kdc code was
reworked to use poll() (RT#6905) and we pulled it from trunk to add to
our 1.9 and 1.9.1 binary packages.  The fix was RT#6951.  We ran into
another case, too, but by then that part of the library had been
reworked again so that trunk didn't need the fix, so I didn't open a
ticket for it.  I'll append the patch for it below.



If we exit the transmit loop cleanly, don't overestimate the size of the
connections array.  This bug appears to have been removed upstream when
this function was rewritten in trunk, and the select()-based implementation
is still what's in 1.9, so this patch has nowhere to go.
--- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c	2011-09-28 14:54:20.560811664 -0400
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c	2011-09-28 14:54:11.396812292 -0400
@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co
            call with the last one from the above loop, if the loop
            actually calls select.  */
         sel_state->end_time.tv_sec += delay_this_pass;
-        e = service_fds(context, sel_state, conns, host+1, &winning_conn,
+        i = host+1;
+        if (i > n_conns)
+            i = n_conns;
+        e = service_fds(context, sel_state, conns, i, &winning_conn,
                         sel_state+1, msg_handler, msg_handler_data);
         if (e)

Reproducible: Always

Steps to Reproduce:
1.  Set up a multi KDC Kerberos REALM and use SRV records to publish KDC locations
2.  Stop the KDC service on one of the nodes. (Do not shut down server,  Just have nothing listening on the port)
3.  Kinit will now fail.
Actual Results:  
Kinit fails with:

kinit: sendto_kdc.c:617: cm_get_ssflags: Assertion `i < selstate->nfds' failed. 

Expected Results:  
Successful kinit against active KDC
Comment 1 Michael Calmer 2011-11-21 10:40:24 UTC
Thanks for the report. 
The fix is already commited in the devel project for FACTORY.
It will go out with the next update for 12.1
Comment 2 Tom Parker 2011-11-22 16:15:28 UTC
Thanks for the Fix.  I am using the Build Services versions and I can confirm that they are fixed.
Comment 3 Michael Calmer 2011-11-22 16:52:49 UTC
Thanks for confirming that the fix is working.
Comment 4 Michael Calmer 2011-12-07 08:59:03 UTC
Fix submitted to openSUSE 12.1 for update.
Closing as fixed.
Comment 5 Bernhard Wiedemann 2011-12-07 09:00:24 UTC
This is an autogenerated message for OBS integration:
This bug (731648) was mentioned in
https://build.opensuse.org/request/show/95685 12.1 / krb5
https://build.opensuse.org/request/show/95686 Factory / krb5