Date: | Tue, 13 Nov 2007 03:15:59 -0500 (EST) |
From: | David Bartley <dtbartle@csclub.uwaterloo.ca> |
To: | krb5-bugs@mit.edu |
Subject: | GSSAPI Error Display Bug |
There's a bug in the GSSAPI g_display_com_err_status function. Kerberos
error codes are represented as an int32 are are negative. However, in
g_display_com_err the status_value (i.e. the krb5 error) is passed in as a
uint32. This function then passes status_value to error_message, which
expects a signed long, which is an int64 on 64-bit systems. Casting a uint32
to an int64 will not sign-extend the value, so an incorrect error code ends
up being passed to error_message.
This bug can be seen when using SASL/GSSAPI (e.g. ldapsearch). On 32-bit
systems the full error text is displayed, whereas on 64-bit systems only
the error number is displayed. I've attached a patch which fixes the bug.
error codes are represented as an int32 are are negative. However, in
g_display_com_err the status_value (i.e. the krb5 error) is passed in as a
uint32. This function then passes status_value to error_message, which
expects a signed long, which is an int64 on 64-bit systems. Casting a uint32
to an int64 will not sign-extend the value, so an incorrect error code ends
up being passed to error_message.
This bug can be seen when using SASL/GSSAPI (e.g. ldapsearch). On 32-bit
systems the full error text is displayed, whereas on 64-bit systems only
the error number is displayed. I've attached a patch which fixes the bug.
Message body is not shown because sender requested not to inline it.