From dsr@lnscu5.lns.cornell.edu Fri Feb 22 14:04:41 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id OAA20665 for ; Fri, 22 Feb 2002 14:04:40 -0500 (EST) Received: from lnscu5.lns.cornell.edu (lnscu5.lns.cornell.edu [128.84.44.111]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA26190 for ; Fri, 22 Feb 2002 14:04:40 -0500 (EST) Received: from lnscu6.lns.cornell.edu (lnscu6.lns.cornell.edu [128.84.45.151]) by lnscu5.lns.cornell.edu (8.12.1/8.12.1) with ESMTP id g1MJ4do2011739 for ; Fri, 22 Feb 2002 14:04:40 -0500 (EST) Received: by lnscu6.lns.cornell.edu (8.8.8/1.1.22.3/15Feb00-0854AM) id OAA0000019458; Fri, 22 Feb 2002 14:04:39 -0500 (EST) Message-Id: <200202221904.OAA0000019458@lnscu6.lns.cornell.edu> Date: Fri, 22 Feb 2002 14:04:39 -0500 (EST) From: Dan Riley Reply-To: dsr@mail.lns.cornell.edu To: krb5-bugs@mit.edu Subject: error in option processing of krb5_gss_accept_sec_context X-Send-Pr-Version: 3.99 >Number: 1060 >Category: krb5-libs >Synopsis: incorrect arg to TREAD_STR in option processing >Confidential: no >Severity: non-critical >Priority: medium >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Fri Feb 22 14:05:01 EST 2002 >Last-Modified: >Originator: Dan Riley >Organization: LNS, Cornell U. >Release: krb5-1.2.3 >Environment: System: OSF1 lnscu6.lns.cornell.edu V4.0 1229 alpha Machine: alpha >Description: krb5_gss_accept_sec_context has an argument error that should bite if it there is more than one option to process. >How-To-Repeat: >Fix: diff -ur krb5-1.2.3/src/lib/gssapi/krb5/accept_sec_context.c krb5/lib/gssapi/krb5/accept_sec_context.c --- krb5-1.2.3/src/lib/gssapi/krb5/accept_sec_context.c Wed Jan 9 17:27:43 2002 +++ krb5/lib/gssapi/krb5/accept_sec_context.c Thu Dec 6 15:29:41 2001 @@ -456,16 +456,16 @@ i -= 4; - /* have to use ptr2, since option.data is wrong type and - macro uses ptr as both lvalue and rvalue */ - if (i < option.length || option.length < 0) { code = KG_BAD_LENGTH; major_status = GSS_S_FAILURE; goto fail; } - TREAD_STR(ptr, ptr2, bigend); + /* have to use ptr2, since option.data is wrong type and + macro uses ptr as both lvalue and rvalue */ + + TREAD_STR(ptr, ptr2, option.length); option.data = (char FAR *) ptr2; i -= option.length; >Audit-Trail: >Unformatted: