Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 4CE38CCA02; Wed, 16 Sep 2009 02:02:34 +0000 (UTC) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n8G22YdP025475; Tue, 15 Sep 2009 22:02:34 -0400 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n8FN1d2A032648 for ; Tue, 15 Sep 2009 19:01:39 -0400 Received: from mit.edu (W92-130-BARRACUDA-1.MIT.EDU [18.7.21.220]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id n8FN1QeC014654 for ; Tue, 15 Sep 2009 19:01:26 -0400 (EDT) Received: from mournblade.imrryr.org (localhost [127.0.0.1]) by mit.edu (Spam Firewall) with ESMTP id 78D411002523 for ; Tue, 15 Sep 2009 19:01:25 -0400 (EDT) Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by mit.edu with ESMTP id ho8TUKTYDpbcpcCQ (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for ; Tue, 15 Sep 2009 19:01:25 -0400 (EDT) Received: from mournblade.imrryr.org (localhost [127.0.0.1]) by mournblade.imrryr.org (Postfix) with ESMTP id C77A31FFF3D for ; Tue, 15 Sep 2009 23:01:24 +0000 (UTC) To: krb5-bugs@mit.edu Subject: UDP datagrams > 4K do not work. Organization: The Fall of Imrryr User-Agent: nmh-1.0.4 (NetBSD/alpha) X-Copyright: Copyright 2009, R. C. Dowdeswell. All Rights Reserved. X-Window-System: Release 6.3 Date: Wed, 16 Sep 2009 07:01:24 +0800 From: elric@mournblade.imrryr.org Message-ID: <20090915230124.C77A31FFF3D@mournblade.imrryr.org> X-Spam-Score: 0.12 X-Spam-Flag: NO X-Scanned-BY: MIMEDefang 2.42 X-Mailman-Approved-At: Tue, 15 Sep 2009 22:02:33 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 1715 In src/kdc/network.c, in the function: process_packet(): We find: response = NULL; saddr_len = sizeof(saddr); cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0, (struct sockaddr *)&saddr, &saddr_len); if (cc == -1) { if (errno != EINTR /* This is how Linux indicates that a previous transmission was refused, e.g., if the client timed out before getting the response packet. */ && errno != ECONNREFUSED ) com_err(prog, errno, "while receiving from network"); return; } if (!cc) return; /* zero-length packet? */ Unfortunately, if you receive a datagram of over sizeof(pktbuf) you will succeed with cc == sizeof(pktbuf) not detecting the fact that there was additional data. This results in an ASN.1 parse error. What should happen is that the KDC should return an appropriate error to the client indicating that TCP should be used. Or maybe the buffer size should be increased to the maximum allowable for UDP. I prefer the second option as there is nothing inherently wrong with 64K UDP packets. I noticed this while debugging a JGSS problem. Apparently, the Java Kerberos libraries do not fail over from UDP to TCP unless the KDC specifically tells them to. And they have no default setting for udp_preference_limit. And so, if you are constructing tickets of over 4K because, let's say, a user is in a lot of groups in Windows, JGSS will just fail against an MIT KDC. Fix: change MAX_DGRAM_SIZE in /include/krb5/stock/osconf.h to be the actual maximum datagram size, 65536. -- Roland Dowdeswell http://Imrryr.ORG/~elric/