From thomas@pongo.cs.wisc.edu Wed Feb 18 16:58:52 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id QAA00950; Wed, 18 Feb 2004 16:58:52 -0500 (EST)
Received: from pongo.cs.wisc.edu (pongo.cs.wisc.edu [128.105.162.13])
by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id i1ILwp2x028881
for <krb5-bugs@mit.edu>; Wed, 18 Feb 2004 16:58:51 -0500 (EST)
Received: (from thomas@localhost)
by pongo.cs.wisc.edu (8.9.2/8.9.2) id PAA23425;
Wed, 18 Feb 2004 15:58:06 -0600 (CST)
Date: Wed, 18 Feb 2004 15:58:06 -0600 (CST)
From: David Thompson <thomas@cs.wisc.edu>
Message-Id: <200402182158.PAA23425@pongo.cs.wisc.edu>
To: krb5-bugs@mit.edu
Reply-To: thomas@cs.wisc.edu
Cc:
X-send-pr-version: 3.99
Associate Researcher Department of Computer Science
University of Wisconsin-Madison http://www.cs.wisc.edu/~thomas
1210 West Dayton Street Phone: (608)-262-1017
Madison, WI 53706-1685 Fax: (608)-262-6626
--
System: Linux pongo.cs.wisc.edu 2.4.20-28.9smp #1 SMP Thu Dec 18 13:37:36 EST 2003 i686 i686 i386 GNU/Linux
Architecture: i686
a ka-forwarder to send the return packet to ip 0.0.0.0/0 instead
of the original sender of the auth request.
Index: fakeka.c
===================================================================
RCS file: /s/krb5-1.3.1/src/CVSROOT/krb5-1.3.1/src/kdc/fakeka.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 fakeka.c
--- fakeka.c 3 Oct 2003 14:04:02 -0000 1.1.1.1
+++ fakeka.c 18 Feb 2004 21:43:48 -0000
@@ -1361,7 +1361,7 @@
/*
* copy the forwarder header and adjust the bases and lengths.
*/
- memcpy(reply.data, reply.data, HEADER_LEN);
+ memcpy(reply.data, req.data, HEADER_LEN);
req.base += HEADER_LEN;
req.len -= HEADER_LEN;
reply.base += HEADER_LEN;
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id QAA00950; Wed, 18 Feb 2004 16:58:52 -0500 (EST)
Received: from pongo.cs.wisc.edu (pongo.cs.wisc.edu [128.105.162.13])
by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id i1ILwp2x028881
for <krb5-bugs@mit.edu>; Wed, 18 Feb 2004 16:58:51 -0500 (EST)
Received: (from thomas@localhost)
by pongo.cs.wisc.edu (8.9.2/8.9.2) id PAA23425;
Wed, 18 Feb 2004 15:58:06 -0600 (CST)
Date: Wed, 18 Feb 2004 15:58:06 -0600 (CST)
From: David Thompson <thomas@cs.wisc.edu>
Message-Id: <200402182158.PAA23425@pongo.cs.wisc.edu>
To: krb5-bugs@mit.edu
Reply-To: thomas@cs.wisc.edu
Cc:
X-send-pr-version: 3.99
Show quoted text
>Submitter-Id: net
>Originator: David Thompson
>Organization:
Dave Thompson <thomas@cs.wisc.edu>>Originator: David Thompson
>Organization:
Associate Researcher Department of Computer Science
University of Wisconsin-Madison http://www.cs.wisc.edu/~thomas
1210 West Dayton Street Phone: (608)-262-1017
Madison, WI 53706-1685 Fax: (608)-262-6626
--
Show quoted text
>Confidential: no
>Synopsis: bug in fakeka.c
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.3.1
>Environment:
--any-->Synopsis: bug in fakeka.c
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.3.1
>Environment:
System: Linux pongo.cs.wisc.edu 2.4.20-28.9smp #1 SMP Thu Dec 18 13:37:36 EST 2003 i686 i686 i386 GNU/Linux
Architecture: i686
Show quoted text
>Description:
The fakeka utility has a bad memcpy statement that causesa ka-forwarder to send the return packet to ip 0.0.0.0/0 instead
of the original sender of the auth request.
Show quoted text
>How-To-Repeat:
Set up a ka-forwarder/fakeka combination and klog.Show quoted text
>Fix:
Index: fakeka.c
===================================================================
RCS file: /s/krb5-1.3.1/src/CVSROOT/krb5-1.3.1/src/kdc/fakeka.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 fakeka.c
--- fakeka.c 3 Oct 2003 14:04:02 -0000 1.1.1.1
+++ fakeka.c 18 Feb 2004 21:43:48 -0000
@@ -1361,7 +1361,7 @@
/*
* copy the forwarder header and adjust the bases and lengths.
*/
- memcpy(reply.data, reply.data, HEADER_LEN);
+ memcpy(reply.data, req.data, HEADER_LEN);
req.base += HEADER_LEN;
req.len -= HEADER_LEN;
reply.base += HEADER_LEN;