NetBSD Problem Report #55145

From duncan@ecs.vuw.ac.nz  Mon Apr  6 05:42:05 2020
Return-Path: <duncan@ecs.vuw.ac.nz>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id D54141A9213
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  6 Apr 2020 05:42:05 +0000 (UTC)
Message-Id: <202004060542.0365g28M016285@turakirae.ecs.vuw.ac.nz>
Date: Mon, 6 Apr 2020 17:42:02 +1200 (NZST)
From: duncan@ecs.vuw.ac.nz
Reply-To: duncan@ecs.vuw.ac.nz
To: gnats-bugs@NetBSD.org
Subject: kadmin mis-parses commands that include '\' escape characters
X-Send-Pr-Version: 3.95

>Number:         55145
>Category:       bin
>Synopsis:       kadmin mis-parses commands that include '\' escape characters
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 06 05:45:00 +0000 2020
>Originator:     Duncan McEwan
>Release:        NetBSD 8.1_STABLE
>Organization:
	School of Engineering and Computer Science,
        Victoria University of Wellington
>Environment:
System: NetBSD turakirae.ecs.vuw.ac.nz 8.1_STABLE NetBSD 8.1_STABLE (GENERIC) #4: Sun Jan 12 17:21:45 NZDT 2020 mark@turakirae.ecs.vuw.ac.nz:/local/SAVE/8_64.obj/src/work/8/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
If you run kadmin (or kadmin -l) in interactive mode and enter command line
parameters containing '\' escape characters, in some circumstances the command
is not parsed correctly.
>How-To-Repeat:
For eg:

* Try to include the character sequence '\"' in a password

kdc# kadmin -l
kadmin> cpw --password="xxx\\\"yyy" duncan
sl_loop: out of memory
kadmin> cpw --password=xxx\\"yyy duncan
kadmin>

I think the 2nd case above only succeeds due to the bug - it  should fail
because of the unescaped '"' character.

* Try to end a password with '"'

kdc# kadmin -l
kadmin> cpw --password="xxx\"" duncan
sl_loop: out of memory
kadmin> cpw --password=xxx\" duncan
Arguments given (0) are less than expected (1).

Usage: passwd [-rh] [--random-key] [--random-password] [--password=string]
   [-p string] [--key=string] [--help] principal...
   -r, --random-key             set random key
   --random-password            set random password
   -p string, --password=string princial's password
   --key=string                 DES key in hex

* Try to include spaces in a password using '\' escapes rather than "..."

kdc# kadmin -l
kadmin> cpw --password=xxx\ yyy duncan
kadmin> cpw --password=xxx\\ yyy duncan
kadmin> cpw --password=xxx\\\ yyy duncan
kadmin: cpw yyy: Principal does not exist
kadmin> cpw --password=xxx\ \ yyy duncan
kadmin: cpw  yyy: Principal does not exist
kadmin>

In the above the 2nd case should result in the error of the 3rd since there's
an unescaped ' '.  The 3rd case should work.

>Fix:
The above failures are all caused by an off-by-one error in
src/crypto/external/bsd/heimdal/dist/lib/sl/sl.c.

--- src/crypto/external/bsd/heimdal/dist/lib/sl/sl.c.orig  2017-10-21 19:21:49.292484114 +1300
+++ src/crypto/external/bsd/heimdal/dist/lib/sl/sl.c   2020-04-06 15:14:06.832183226 +1200
@@ -250,7 +250,7 @@
            if (p[1] == '\0')
                goto failed;
            memmove(&p[0], &p[1], strlen(&p[1]) + 1);
-           p += 2;
+           p += 1;
            continue;
        } else if (quote || !isspace((unsigned char)*p)) {
            p++;

I added some extra test cases to test_sl.c.  With the original code these all
fail.  With the above patch the original and these additional tests all pass.

--- src/crypto/external/bsd/heimdal/dist/lib/sl/test_sl.c.orig   2017-10-21 19:21:49.294261371 +1300
+++ src/crypto/external/bsd/heimdal/dist/lib/sl/test_sl.c   2020-04-06 16:05:01.408434086 +1200
@@ -60,6 +60,9 @@
     { 1, "\"foo bar baz\"", 1, { "foo bar baz" }},
     { 1, "\\\"foo bar baz", 3, { "\"foo", "bar", "baz" }},
     { 1, "\\ foo bar baz", 3, { " foo", "bar", "baz" }},
+    { 1, "foo\\\\\\\"barbaz", 1, { "foo\\\"barbaz" }},
+    { 1, "foobar\\\" baz", 2, { "foobar\"", "baz" }},
+    { 1, "foobar\\ \\ baz", 1, { "foobar  baz" }},
     { 0, "\\", 0, { "" }},
     { 0, "\"", 0, { "" }}
 };

Home	PR Database Search