Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 2311 From thomas@pongo.cs.wisc.edu Wed Feb 18 16:58:52 2004 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3p2) with ESMTP id QAA00950; Wed, 18 Feb 2004 16:58:52 -0500 (EST) Received: from pongo.cs.wisc.edu (pongo.cs.wisc.edu [128.105.162.13]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id i1ILwp2x028881 for ; Wed, 18 Feb 2004 16:58:51 -0500 (EST) Received: (from thomas@localhost) by pongo.cs.wisc.edu (8.9.2/8.9.2) id PAA23425; Wed, 18 Feb 2004 15:58:06 -0600 (CST) Date: Wed, 18 Feb 2004 15:58:06 -0600 (CST) From: David Thompson Message-Id: <200402182158.PAA23425@pongo.cs.wisc.edu> To: krb5-bugs@mit.edu Reply-To: thomas@cs.wisc.edu Cc: X-send-pr-version: 3.99 >Submitter-Id: net >Originator: David Thompson >Organization: Dave Thompson Associate Researcher Department of Computer Science University of Wisconsin-Madison http://www.cs.wisc.edu/~thomas 1210 West Dayton Street Phone: (608)-262-1017 Madison, WI 53706-1685 Fax: (608)-262-6626 -- >Confidential: no >Synopsis: bug in fakeka.c >Severity: serious >Priority: medium >Category: krb5-kdc >Class: sw-bug >Release: krb5-1.3.1 >Environment: --any-- System: Linux pongo.cs.wisc.edu 2.4.20-28.9smp #1 SMP Thu Dec 18 13:37:36 EST 2003 i686 i686 i386 GNU/Linux Architecture: i686 >Description: The fakeka utility has a bad memcpy statement that causes a ka-forwarder to send the return packet to ip 0.0.0.0/0 instead of the original sender of the auth request. >How-To-Repeat: Set up a ka-forwarder/fakeka combination and klog. >Fix: Index: fakeka.c =================================================================== RCS file: /s/krb5-1.3.1/src/CVSROOT/krb5-1.3.1/src/kdc/fakeka.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 fakeka.c --- fakeka.c 3 Oct 2003 14:04:02 -0000 1.1.1.1 +++ fakeka.c 18 Feb 2004 21:43:48 -0000 @@ -1361,7 +1361,7 @@ /* * copy the forwarder header and adjust the bases and lengths. */ - memcpy(reply.data, reply.data, HEADER_LEN); + memcpy(reply.data, req.data, HEADER_LEN); req.base += HEADER_LEN; req.len -= HEADER_LEN; reply.base += HEADER_LEN;