krb5_child: fix enterprise principal parsing in keep-alive sessions#8351
krb5_child: fix enterprise principal parsing in keep-alive sessions#8351alexey-tikhonov merged 1 commit intoSSSD:masterfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to fix enterprise principal parsing in keep-alive sessions by re-parsing principals when settings are updated. The overall approach is correct, but the implementation introduces several critical use-after-free vulnerabilities. In multiple places, memory is freed but the corresponding pointers are not nullified. If a subsequent operation fails, these dangling pointers can be freed again in a later call, leading to a crash. I've provided specific comments and suggestions to fix these issues.
ikerexxe
force-pushed
the
fix-upn-parsing
branch
2 times, most recently
from
1e56bc9 to
a06b02e
Compare
ikerexxe
force-pushed
the
fix-upn-parsing
branch
from
a06b02e to
388d902
Compare
ikerexxe
force-pushed
the
fix-upn-parsing
branch
from
388d902 to
d5799c5
Compare
|
@aplopez do you mind taking another look? |
Looking better now. |
|
/gemini review |
There was a problem hiding this comment.
Code Review
The pull request effectively addresses the issue of enterprise principal parsing inconsistencies in keep-alive sessions. By ensuring that krb5_req settings, including use_enterprise_princ, validate, posix_domain, and send_pac, are correctly updated between commands, and by re-parsing the principal with appropriate flags when necessary, the changes fix UPN handling in complex AD environments. The introduction of a conditional update logic for kr->princ and proper management of kr->creds and kr->name contribute to the correctness and robustness of the Kerberos child process.
| /* Update settings that may change between commands */ | ||
| dest->use_enterprise_princ = src->use_enterprise_princ; | ||
| dest->validate = src->validate; | ||
| dest->posix_domain = src->posix_domain; | ||
| dest->send_pac = src->send_pac; |
There was a problem hiding this comment.
The update of use_enterprise_princ, validate, posix_domain, and send_pac in krb5_req_update is critical for ensuring that subsequent Kerberos operations in a keep-alive session use the correct configuration. Without this, the principal parsing logic in k5c_setup might operate with stale flags, leading to incorrect behavior, especially in dynamic AD environments.
| kerr = sss_krb5_parse_name_flags(kr->ctx, kr->upn, parse_flags, &princ); | ||
| if (kerr != 0) { | ||
| KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); | ||
| return kerr; |
There was a problem hiding this comment.
The introduction of a temporary princ and the subsequent comparison with kr->princ before updating is a robust way to handle changes in the principal. This prevents unnecessary re-initialization if the principal remains the same and correctly updates it when needed, which is vital for the PR's objective.
| ret = k5c_setup(kr, offline); | ||
| if (ret != EOK) { | ||
| DEBUG(SSSDBG_CRIT_FAILURE, "k5c_setup failed during keep-alive [%d]: %s\n", | ||
| ret, sss_strerror(ret)); | ||
| goto done; |
There was a problem hiding this comment.
Calling k5c_setup after krb5_req_update is essential. This ensures that any updated settings received from the backend (like use_enterprise_princ) are immediately applied to the krb5_req structure before further processing, which is crucial for correct principal parsing and credential handling.
| if (kr->princ == NULL || !krb5_principal_compare(kr->ctx, kr->princ, princ)) { | ||
| DEBUG(SSSDBG_TRACE_FUNC, "Updating principal\n"); | ||
| if (kr->princ != NULL) { | ||
| krb5_free_principal(kr->ctx, kr->princ); | ||
| } | ||
| kr->princ = princ; | ||
| } else { | ||
| DEBUG(SSSDBG_TRACE_FUNC, "Principal unchanged, keeping existing\n"); | ||
| krb5_free_principal(kr->ctx, princ); | ||
| } |
There was a problem hiding this comment.
The change to free kr->princ only when it's different from the newly parsed princ (or if kr->princ was initially NULL) is a good memory management practice. It avoids potential memory leaks if the principal changes during a keep-alive session.
| if (kr->princ_orig == NULL) { | ||
| kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ_orig); | ||
| if (kerr != 0) { | ||
| KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); | ||
| return kerr; | ||
| } | ||
| } |
There was a problem hiding this comment.
Moving the krb5_parse_name call for kr->princ_orig inside an if (kr->princ_orig == NULL) block improves efficiency by preventing redundant parsing of the original principal if it has already been set.
| sss_krb5_free_unparsed_name(kr->ctx, kr->name); | ||
| kr->name = NULL; |
There was a problem hiding this comment.
The explicit freeing of kr->name before unparsing a new one is good practice to prevent memory leaks and ensure kr->name always reflects the current kr->princ.
| if (kr->creds != NULL) { | ||
| krb5_free_cred_contents(kr->ctx, kr->creds); | ||
| } else { | ||
| kr->creds = calloc(1, sizeof(krb5_creds)); | ||
| if (kr->creds == NULL) { | ||
| DEBUG(SSSDBG_CRIT_FAILURE, "calloc failed.\n"); | ||
| return ENOMEM; | ||
| } | ||
| } |
There was a problem hiding this comment.
The conditional freeing of kr->creds contents before potential reallocation ensures that the creds structure is always in a clean state, preventing memory leaks or data corruption if it was previously used.
sumit-bose
left a comment
sumit-bose
left a comment
There was a problem hiding this comment.
Hi,
thank you for the patch, ACK
bye,
Sumit
When keep-alive sessions transition between command types (e.g., from SSS_PAM_PREAUTH to SSS_PAM_AUTHENTICATE), enterprise principal settings were not being updated, causing parsing inconsistencies in complex AD environments. This change ensures that when the backend sends updated enterprise principal settings for different command types, the principals are correctly re-parsed with the appropriate flags, fixing UPN handling in multi-domain AD environments. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
sssd-bot
force-pushed
the
fix-upn-parsing
branch
from
d5799c5 to
cc649a0
Compare
alexey-tikhonov
added
backport-to-sssd-2-12
and removed
no-backport
5 participants
When keep-alive sessions transition between command types (e.g., from SSS_PAM_PREAUTH to SSS_PAM_AUTHENTICATE), enterprise principal settings were not being updated, causing parsing inconsistencies in complex AD environments.
This change ensures that when the backend sends updated enterprise principal settings for different command types, the principals are correctly re-parsed with the appropriate flags, fixing UPN handling in multi-domain AD environments.