https://bugzilla.novell.com/show_bug.cgi?id=731648 https://bugzilla.novell.com/show_bug.cgi?id=731648#c0 Summary: The OpenSuSE version of krb5 1.9 has introduced a bug that causes denial of service. Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: tparker@cbnco.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0 I have found a bug in the current version of the krb5 client side libraries that suse is packaging that can cause a denial of service in a multi-KDC setup where one of the KDC processes is down. If one KDC is down the client will be unable to authenticate to any of the other KDCs until either the server hosting the KDC process is brought down or the KDC process is restarted. The packagers at Red Hat said: That looks like a bug that we ran into when the send-to-kdc code was reworked to use poll() (RT#6905) and we pulled it from trunk to add to our 1.9 and 1.9.1 binary packages. The fix was RT#6951. We ran into another case, too, but by then that part of the library had been reworked again so that trunk didn't need the fix, so I didn't open a ticket for it. I'll append the patch for it below. HTH, Nalin If we exit the transmit loop cleanly, don't overestimate the size of the connections array. This bug appears to have been removed upstream when this function was rewritten in trunk, and the select()-based implementation is still what's in 1.9, so this patch has nowhere to go. --- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400 +++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400 @@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co call with the last one from the above loop, if the loop actually calls select. */ sel_state->end_time.tv_sec += delay_this_pass; - e = service_fds(context, sel_state, conns, host+1, &winning_conn, + i = host+1; + if (i > n_conns) + i = n_conns; + e = service_fds(context, sel_state, conns, i, &winning_conn, sel_state+1, msg_handler, msg_handler_data); if (e) break; Reproducible: Always Steps to Reproduce: 1. Set up a multi KDC Kerberos REALM and use SRV records to publish KDC locations 2. Stop the KDC service on one of the nodes. (Do not shut down server, Just have nothing listening on the port) 3. Kinit will now fail. Actual Results: Kinit fails with: kinit: sendto_kdc.c:617: cm_get_ssflags: Assertion `i < selstate->nfds' failed. Expected Results: Successful kinit against active KDC -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.