301030 - Negotiate auth crashes browser

Status: RESOLVED FIXED

(Core :: Networking: HTTP, defect)

Description

[Christopher Nebergall]

I've tried with and without kerberos credentials and Negotiate from the server
crashes browser.

Tried with Firefox nightly Trunk build from 7/15 (possibly 7/14 I don't have it
in front of me).

This is most likely fallout from bug Bug 295109.

I don't have Mac easily available till wednesday of next week to debug this, but
I'll see what I can do.

Comment 1

[Christopher Mason]

Stack trace terminates in nsNegotiateAuth::QueryInterface(nsID const&, void**) +
0x3f0.  It occurs both against IIS6 and Apache (2.0.52) with mod_auth_kerb
(5.0rc6).  It is entirely reproducible.

The crash occurs in:

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b3) Gecko/20050712
Firefox/1.0+ [deerpark alpha2]

The crash does not occur in:

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.9) Gecko/20050711
Firefox/1.0.5
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050531
Firefox/1.0+ [deerpark alpha1]
20050714 nightly on windows.

Talkback: TB7629300E

Would it be helpful to narrow between 20050711 and 20050531, or does Bug 295109
tell you all you need to know?

Comment 2

[Christopher Mason]

Note, this appears Mac specific.  Suggest changing Hardware to Macintosh.

Comment 3

[Mark Mentovai]

Probably 295109/299305, but to be sure, compare builds from, say, 0628 and 0701.

I don't have a server handy that'll to do negotiateauth, and I'm in no mood to
set up krb5 at the moment.  I'll take a look at this if someone can point me to
an appropriate server.  Real credentials aren't needed to reproduce, right?

Either that or a better snapshot of the stack would be helpful.

Comment 4

[Christopher Mason]

Attachment: Traceback from 2005-07-01-07-trunk

works:
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050628
Firefox/1.0+

crashes:
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050701
Firefox/1.0+

gdb traceback attached.  (Why no function arguments?)

Apparently, the following Apache httpd.conf for mod_auth_kerb will crash
firefox without even needing a real krb5.conf, KDC, etc:

==cut
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Directory /var/www/html/authtest>
	AuthType Kerberos
	AuthName kerberos
	Krb5Keytab /etc/httpd/conf/fake.keytab
	KrbMethodNegotiate On
	Allow from all
	require valid-user
</Directory>
== cut

/etc/httpd/conf/fake.keytab is an empty file readable by the user apache runs
as.  Unfortunately, I'm behind a firewall, so I can't offer a test server.

Comment 5

[Mark Mentovai]

Still can't reproduce (yet?) - will look again tomorrow.  Test servers still
welcome.

Comment 6

[Christian :Biesinger (don't email me, ping me on IRC)]

> (Why no function arguments?)

most likely because there are no symbols (i.e. gcc did not have the -g
argument). probably compiled without --enable-debug.

Comment 7

[Mark Mentovai]

Attachment: Fix

Oops, too many pointers.  It should be static, too.

Comment 8

[Mark Mentovai]

Attachment: v1.0.1, fix

This makes even more sense.

Comment 9

[Christopher Nebergall]

I have verified that the only time that Mac OS X crashes is when the 
KLCacheHasValidTickets function pointer has been called. I was able to verify 
this by toggling network.negotiate-auth.using-native-gsslib.  So I think you 
are definitely on the right track.  A follow on bug after it is fixed is that 
we can most likely get rid of the network.negotiate-auth.using-native-gsslib 
pref and only call KLCacheHasValidTickets if we happen to find it in the gss 
library.

Comment 10

[Mark Mentovai]

I don't get it.  Does that mean you give r+, or does that mean that you're still
crashing with patch "1.0.1"?

Comment 11

[Christopher Nebergall]

Comment on attachment 189897 [details] [diff] [review]
v1.0.1, fix

Looks fine to me. Thanks!

Comment 12

[Mike Connor [:mconnor]]

Comment on attachment 189897 [details] [diff] [review]
v1.0.1, fix

You need to get review from appropriate module owners/peers.

Comment 13

[Mark Mentovai]

Comment on attachment 189897 [details] [diff] [review]
v1.0.1, fix

This is extensions/negotiateauth, which cneberg is intimately familiar with.   
This would not be the first time he's given review for negotiateauth.  Bugzilla
doesn't have an appropriate category, but I can't think of anyone more suitable
for review than he - in fact, I can't think of anyone else at all who's even
interested in negoatiateauth.  Since you cancelled his review, I'll stick it on
you.

Recent checkins to negotiateauth have been with r-only, or single-reviewer r/sr
combined.  Certainly two sets of eyes are better than one?

Comment 14

[Christopher Nebergall]

I've helped review other bugs for darin in the same module. How is this
different? See comments on Bug 237851. (Note my email has changed to gmail since
then.) Note a few bugs that I've reviewed, bug 241124, Bug 239734, Bug 230351, etc.

Comment 15

[Darin Fisher]

Comment on attachment 189897 [details] [diff] [review]
v1.0.1, fix

sr=darin

thanks mark!

Comment 16

[Darin Fisher]

Comment on attachment 189897 [details] [diff] [review]
v1.0.1, fix

marking r=cneberg based on previous comments.  he's the expert in this area,
wrote much of the original code, and continues to be an invaluable resource for
all things authentication related (kerberos or otherwise).

Comment 17

[Mark Mentovai]

This bug's been foxed.

Comment 18

[Mark Mentovai]

Attachment: Stop the burning

FYI.  r/sr=bz.

Comment 19

[Mark Mentovai]

Clearing blocking? flags as this went in.

Comment 20

[Christopher Nebergall]

Mark, I just verified everything was working as expected in the latest nightly.
 Thanks!