From dsr@mail.lns.cornell.edu Fri Feb 22 13:04:52 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id NAA20478 for ; Fri, 22 Feb 2002 13:04:51 -0500 (EST) Received: from lnscu5.lns.cornell.edu (lnscu5.lns.cornell.edu [128.84.44.111]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA04728 for ; Fri, 22 Feb 2002 13:04:51 -0500 (EST) Received: from lnscu6.lns.cornell.edu (lnscu6.lns.cornell.edu [128.84.45.151]) by lnscu5.lns.cornell.edu (8.12.1/8.12.1) with ESMTP id g1MI4oo2009511 for ; Fri, 22 Feb 2002 13:04:50 -0500 (EST) Received: by lnscu6.lns.cornell.edu (8.8.8/1.1.10.5/23Nov96-0144PM) id NAA19219; Fri, 22 Feb 2002 13:04:50 -0500 (EST) Message-Id: <200202221804.NAA19219@lnscu6.lns.cornell.edu> Date: Fri, 22 Feb 2002 13:04:50 -0500 (EST) From: Dan Riley Reply-To: dsr@mail.lns.cornell.edu To: krb5-bugs@mit.edu Subject: Off by one error in lib/gssapi/krb5/init_sec_context.c X-Send-Pr-Version: 3.99 >Number: 1057 >Category: krb5-libs >Synopsis: krb5_gss_init_sec_context can miss requested enctypes >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Fri Feb 22 13:05:00 EST 2002 >Last-Modified: Sat Mar 2 20:52:32 EST 2002 >Originator: Dan Riley >Organization: LNS, Cornell U. >Release: krb5-1.2.3 >Environment: System: SunOS solfa1.lns.cornell.edu 5.8 Generic_108528-13 sparc Machine: sparc >Description: lib/gssapi/krb5/init_sec_context.c has an off-by-one error that can result in an enctype being omitted from the list of requested_enctypes if the uninitialized value one over the end of the requested_enctypes array happens to match the value of the corresponding default_enctypes entry. >How-To-Repeat: Compile krb5-1.2.3 on Solaris 8 with the Workshop 6 compiler; kadmin will fail with the error kadmin: GSS-API (or Kerberos) error while initializing kadmin interface if the kdc only supports des-cbc-crc:normal and krb5.conf on the client does not restrict the default tgs enctypes (this is probably insufficient to repeat the error, since it depends on the values of unitialized junk on the stack). >Fix: requested_enctypes is filled via requested_enctypes[i++] = e; so the appropriate test for scanning requested_enctypes is 'k < i', not 'k <= i'--'k <= i' goes one past the end of the initialized values of the array. --- krb5-1.2.3/src/lib/gssapi/krb5/init_sec_context.c Wed Jan 9 17:27:43 2002 +++ krb5/lib/gssapi/krb5/init_sec_context.c Fri Feb 22 12:33:00 2002 @@ -488,10 +488,10 @@ /* Is this enctype already in the list of enctypes to request? */ - for (k = 0; k <= i; k++) + for (k = 0; k < i; k++) if (requested_enctypes[k] == e) break; - if (k <= i) + if (k < i) continue; /* Add it. */ >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: hartmans State-Changed-When: Sat Mar 2 20:52:23 2002 State-Changed-Why: Fixed in 1.2.4 >Unformatted: