From dsr@mail.lns.cornell.edu Fri Feb 22 13:04:52 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id NAA20478
for <bugs@RT-11.mit.edu>; Fri, 22 Feb 2002 13:04:51 -0500 (EST)
Received: from lnscu5.lns.cornell.edu (lnscu5.lns.cornell.edu [128.84.44.111])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA04728
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 13:04:51 -0500 (EST)
Received: from lnscu6.lns.cornell.edu (lnscu6.lns.cornell.edu [128.84.45.151])
by lnscu5.lns.cornell.edu (8.12.1/8.12.1) with ESMTP id g1MI4oo2009511
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 13:04:50 -0500 (EST)
Received: by lnscu6.lns.cornell.edu (8.8.8/1.1.10.5/23Nov96-0144PM)
id NAA19219; Fri, 22 Feb 2002 13:04:50 -0500 (EST)
Message-Id: <200202221804.NAA19219@lnscu6.lns.cornell.edu>
Date: Fri, 22 Feb 2002 13:04:50 -0500 (EST)
From: Dan Riley <dsr@mail.lns.cornell.edu>
Reply-To: dsr@mail.lns.cornell.edu
To: krb5-bugs@mit.edu
Subject: Off by one error in lib/gssapi/krb5/init_sec_context.c
X-Send-Pr-Version: 3.99
Machine: sparc
can result in an enctype being omitted from the list of
requested_enctypes if the uninitialized value one over the end
of the requested_enctypes array happens to match the value of
the corresponding default_enctypes entry.
kadmin will fail with the error
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
if the kdc only supports des-cbc-crc:normal and krb5.conf on the
client does not restrict the default tgs enctypes (this is probably
insufficient to repeat the error, since it depends on the values
of unitialized junk on the stack).
requested_enctypes[i++] = e;
so the appropriate test for scanning requested_enctypes is 'k < i',
not 'k <= i'--'k <= i' goes one past the end of the initialized values
of the array.
--- krb5-1.2.3/src/lib/gssapi/krb5/init_sec_context.c Wed Jan 9 17:27:43 2002
+++ krb5/lib/gssapi/krb5/init_sec_context.c Fri Feb 22 12:33:00 2002
@@ -488,10 +488,10 @@
/* Is this enctype already in the list of enctypes to
request? */
- for (k = 0; k <= i; k++)
+ for (k = 0; k < i; k++)
if (requested_enctypes[k] == e)
break;
- if (k <= i)
+ if (k < i)
continue;
/* Add it. */
State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Sat Mar 2 20:52:23 2002
State-Changed-Why:
Fixed in 1.2.4
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id NAA20478
for <bugs@RT-11.mit.edu>; Fri, 22 Feb 2002 13:04:51 -0500 (EST)
Received: from lnscu5.lns.cornell.edu (lnscu5.lns.cornell.edu [128.84.44.111])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA04728
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 13:04:51 -0500 (EST)
Received: from lnscu6.lns.cornell.edu (lnscu6.lns.cornell.edu [128.84.45.151])
by lnscu5.lns.cornell.edu (8.12.1/8.12.1) with ESMTP id g1MI4oo2009511
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 13:04:50 -0500 (EST)
Received: by lnscu6.lns.cornell.edu (8.8.8/1.1.10.5/23Nov96-0144PM)
id NAA19219; Fri, 22 Feb 2002 13:04:50 -0500 (EST)
Message-Id: <200202221804.NAA19219@lnscu6.lns.cornell.edu>
Date: Fri, 22 Feb 2002 13:04:50 -0500 (EST)
From: Dan Riley <dsr@mail.lns.cornell.edu>
Reply-To: dsr@mail.lns.cornell.edu
To: krb5-bugs@mit.edu
Subject: Off by one error in lib/gssapi/krb5/init_sec_context.c
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 1057
>Category: krb5-libs
>Synopsis: krb5_gss_init_sec_context can miss requested enctypes
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 22 13:05:00 EST 2002
>Last-Modified: Sat Mar 2 20:52:32 EST 2002
>Originator: Dan Riley
>Organization:
LNS, Cornell U.>Category: krb5-libs
>Synopsis: krb5_gss_init_sec_context can miss requested enctypes
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 22 13:05:00 EST 2002
>Last-Modified: Sat Mar 2 20:52:32 EST 2002
>Originator: Dan Riley
>Organization:
Show quoted text
>Release: krb5-1.2.3
>Environment:
System: SunOS solfa1.lns.cornell.edu 5.8 Generic_108528-13 sparc>Environment:
Machine: sparc
Show quoted text
>Description:
lib/gssapi/krb5/init_sec_context.c has an off-by-one error thatcan result in an enctype being omitted from the list of
requested_enctypes if the uninitialized value one over the end
of the requested_enctypes array happens to match the value of
the corresponding default_enctypes entry.
Show quoted text
>How-To-Repeat:
Compile krb5-1.2.3 on Solaris 8 with the Workshop 6 compiler;kadmin will fail with the error
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
if the kdc only supports des-cbc-crc:normal and krb5.conf on the
client does not restrict the default tgs enctypes (this is probably
insufficient to repeat the error, since it depends on the values
of unitialized junk on the stack).
Show quoted text
>Fix:
requested_enctypes is filled viarequested_enctypes[i++] = e;
so the appropriate test for scanning requested_enctypes is 'k < i',
not 'k <= i'--'k <= i' goes one past the end of the initialized values
of the array.
--- krb5-1.2.3/src/lib/gssapi/krb5/init_sec_context.c Wed Jan 9 17:27:43 2002
+++ krb5/lib/gssapi/krb5/init_sec_context.c Fri Feb 22 12:33:00 2002
@@ -488,10 +488,10 @@
/* Is this enctype already in the list of enctypes to
request? */
- for (k = 0; k <= i; k++)
+ for (k = 0; k < i; k++)
if (requested_enctypes[k] == e)
break;
- if (k <= i)
+ if (k < i)
continue;
/* Add it. */
Show quoted text
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Sat Mar 2 20:52:23 2002
State-Changed-Why:
Fixed in 1.2.4
Show quoted text
>Unformatted: