Skip Menu |
 

Subject: KLCacheHasValidTickets changed behavior
Didn't set validTickets flag on expired ticket.

Vendor's priority - Serious Bug
Vendor's patch - LHA-6361873-KLCacheHasValidTickets-default-to-expired
Including the patch
diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_ccache.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_ccache.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_ccache.c 2008-11-07 11:24:45.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_ccache.c 2008-11-11 13:56:53.000000000 -0800
@@ -721,7 +721,7 @@
kim_boolean out_of_credentials = FALSE;
kim_boolean found_valid_tgt = FALSE;
kim_boolean dominant_is_tgt = FALSE;
- kim_credential_state dominant_state = kim_credentials_state_valid;
+ kim_credential_state dominant_state = kim_credentials_state_expired;
kim_credential dominant_credential = NULL;

if (!err && !in_ccache) { err = check_error (KIM_NULL_PARAMETER_ERR); }
RT-Send-CC: lha@apple.com
updated CC list
I'm concerned that this patch does not fix the underlying problem with this function. The patch
changes the default return value from valid to expired. However the code below is *supposed*
to catch all non-valid ticket conditions. I'm not disputing that there is a real bug here, but
changing the default return value is probably just masking the real bug where one of the non-
valid ticket conditions is not being detected by the logic.

In particular using this method of fixing the bug may mean that KIM returns that tickets are
expired when they are invalid for some other reason (need validation/not yet valid).

Would it be possible to get a description of the state of the ccache when KLCacheHasValidTickets returned that tickets were valid even though they weren't? I looked for
a regression test flagged with this bug number and didn't see one.