Closed
Description
This is originally discussed here: dotnet/runtime#83540
It looks like recent regression and I can provide core dumps if needed.
So far it manifested for us on RedHat 7 but it may not be limited to thais
[toweinfu@toweinfu-rh7 System.Net.Mail.Functional.Tests]$ rpm -qi gssntlmssp
Name : gssntlmssp
Version : 1.2.0
Release : 1.el7
Architecture: x86_64
Install Date: Thu 09 Mar 2023 06:29:25 PM UTC
Group : System Environment/Libraries
Size : 137341
License : LGPLv3+
Signature : RSA/SHA256, Tue 21 Feb 2023 04:30:30 PM UTC, Key ID 6a2faea2352c64e5
Source RPM : gssntlmssp-1.2.0-1.el7.src.rpm
Build Date : Tue 21 Feb 2023 02:14:11 PM UTC
Build Host : buildhw-x86-12.iad2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : https://fedorahosted.org/gss-ntlmssp
Bug URL : https://bugz.fedoraproject.org/gssntlmssp
Summary : GSSAPI NTLMSSP Mechanism
Description :
A GSSAPI Mechanism that implements NTLMSSP
(lldb) r
Process 2230 launched: '../../correlation-payload/dotnet' (x86_64)
Discovering: System.Net.Mail.Functional.Tests (method display = ClassAndMethod, method display options = None)
Discovered: System.Net.Mail.Functional.Tests (found 155 of 156 test cases)
Starting: System.Net.Mail.Functional.Tests (parallel test collections = on, max threads = 2)
Process 2230 stopped
* thread #11: tid = 2256, 0x00007fff74e9331f gssntlmssp.so`ntlm_decode_u16l_str_hdr(str_hdr=0x00007fbeb001266c, buffer=0x00007fbeb0009ba0, payload_offs=56, str=0x00007fbecabfbd40, ctx=0x0000000000000000) + 111 at ntlm.c:328, name = '.NET Long Runni', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
frame #0: 0x00007fff74e9331f gssntlmssp.so`ntlm_decode_u16l_str_hdr(str_hdr=0x00007fbeb001266c, buffer=0x00007fbeb0009ba0, payload_offs=56, str=0x00007fbecabfbd40, ctx=0x0000000000000000) + 111 at ntlm.c:328
325 safefree(out);
326 } else {
327 /* make sure to terminate output string */
-> 328 out[outlen] = '\0';
329 }
330
331 *str = out;
(lldb) bt
* thread #11: tid = 2256, 0x00007fff74e9331f gssntlmssp.so`ntlm_decode_u16l_str_hdr(str_hdr=0x00007fbeb001266c, buffer=0x00007fbeb0009ba0, payload_offs=56, str=0x00007fbecabfbd40, ctx=0x0000000000000000) + 111 at ntlm.c:328, name = '.NET Long Runni', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
* frame #0: 0x00007fff74e9331f gssntlmssp.so`ntlm_decode_u16l_str_hdr(str_hdr=0x00007fbeb001266c, buffer=0x00007fbeb0009ba0, payload_offs=56, str=0x00007fbecabfbd40, ctx=0x0000000000000000) + 111 at ntlm.c:328
frame #1: 0x00007fff74e94b2a gssntlmssp.so`ntlm_decode_chal_msg(ctx=<unavailable>, buffer=0x00007fbeb0009ba0, _flags=0x00007fbecabfbdd4, target_name=0x00007fbecabfbe08, challenge=0x00007fbecabfbe10, target_info=0x00007fbecabfbe20) + 186 at ntlm.c:1125
frame #2: 0x00007fff74e9b394 gssntlmssp.so`gssntlm_init_sec_context(minor_status=0x00007fbecabfcb00, claimant_cred_handle=0x00007fbeb0012c30, context_handle=<unavailable>, target_name=<unavailable>, mech_type=<unavailable>, req_flags=<unavailable>, time_req=0, input_chan_bindings=0x0000000000000000, input_token=0x00007fbeb0009900, actual_mech_type=0x00007fbeb0013100, output_token=0x00007fbecabfc120, ret_flags=0x00007fbeb00130f0, time_rec=0x0000000000000000) + 2436 at gss_sec_ctx.c:290
frame #3: 0x00007fff76297ecb libgssapi_krb5.so.2`gss_init_sec_context + 555
frame #4: 0x00007fff762be6ef libgssapi_krb5.so.2`___lldb_unnamed_symbol372$$libgssapi_krb5.so.2 + 239
frame #5: 0x00007fff762c046a libgssapi_krb5.so.2`___lldb_unnamed_symbol374$$libgssapi_krb5.so.2 + 1178
frame #6: 0x00007fff76297ecb libgssapi_krb5.so.2`gss_init_sec_context + 555
frame #7: 0x00007fffeeefacd7 libSystem.Net.Security.Native.so`NetSecurityNative_InitSecContextEx(minorStatus=0x00007fbecabfcb00, claimantCredHandle=0x00007fbeb00127e0, contextHandle=0x00007fbecabfc760, packageType=0, cbt=0x0000000000000000, cb
and note dotnet/runtime#83540 (comment)
Likely introduced by this security fix: c753000
When str_len is 0, the code takes goto done here, all ret, out and outlen are 0 and the code crashes here
Metadata
Metadata
Assignees
Labels
No labels