From ratliff@austin.ibm.com Wed Nov 14 18:48:45 2001 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id SAA10143 for ; Wed, 14 Nov 2001 18:48:44 -0500 (EST) Received: from mg02.austin.ibm.com (mg02.austin.ibm.com [192.35.232.12]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id SAA26399 for ; Wed, 14 Nov 2001 18:48:43 -0500 (EST) Received: from austin.ibm.com (netmail2.austin.ibm.com [9.3.7.139]) by mg02.austin.ibm.com (AIX4.3/8.9.3/8.9.3) with ESMTP id RAA25906 for ; Wed, 14 Nov 2001 17:56:26 -0600 Received: from spiff.austin.ibm.com (spiff.austin.ibm.com [9.53.216.123]) by austin.ibm.com (AIX4.3/8.9.3/8.9.3) with ESMTP id RAA36076 for ; Wed, 14 Nov 2001 17:48:42 -0600 Received: by spiff.austin.ibm.com (Postfix, from userid 501) id 4156B82ADE; Wed, 14 Nov 2001 17:48:34 -0600 (CST) Message-Id: <20011114234834.4156B82ADE@spiff.austin.ibm.com> Date: Wed, 14 Nov 2001 17:48:34 -0600 (CST) From: ratliff@austin.ibm.com Reply-To: ratliff@austin.ibm.com To: krb5-bugs@mit.edu Cc: ratliff@austin.ibm.com Subject: bug in accept_sec_context.c X-Send-Pr-Version: 3.99 >Number: 1015 >Category: krb5-libs >Synopsis: bug in TREAD_STR macro call in accept_sec_context.c >Confidential: no >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Wed Nov 14 18:49:01 EST 2001 >Last-Modified: >Originator: Emily Ratliff >Organization: IBM Linux Technology Center, Security >Release: krb5-current-20011110 >Environment: System: Linux spiff.austin.ibm.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown Architecture: i686 >Description: You have made several improvements to handling forwarded creds in krb5_gss_accept_sec_context() in accept_sec_context.c. One small problem remains. The call to the TREAD_STR macro sends bigend as the third parameter, but the third parameter should be the expected length of the string or option.length. Also, in making your changes you separated the comment on line 485 from the code that it is commenting on - that TREAD_STR macro call. I've included a patch to fix the buglet and move the comment back down to in front of the call to TREAD_STR. Thanks! Emily >How-To-Repeat: >Fix: diff -ur src.orig/lib/gssapi/krb5/accept_sec_context.c src/lib/gssapi/krb5/accept_sec_context.c --- src.orig/lib/gssapi/krb5/accept_sec_context.c Wed Nov 14 17:07:03 2001 +++ src/lib/gssapi/krb5/accept_sec_context.c Wed Nov 14 17:25:42 2001 @@ -482,16 +482,16 @@ i -= 4; - /* have to use ptr2, since option.data is wrong type and - macro uses ptr as both lvalue and rvalue */ - if (i < option.length || option.length < 0) { code = KG_BAD_LENGTH; major_status = GSS_S_FAILURE; goto fail; } - TREAD_STR(ptr, ptr2, bigend); + /* have to use ptr2, since option.data is wrong type and + macro uses ptr as both lvalue and rvalue */ + + TREAD_STR(ptr, ptr2, option.length); option.data = (char *) ptr2; i -= option.length; >Audit-Trail: >Unformatted: