| Subject: | setpw response parsing fails for lengths above 255 |
| CC: | rra@stanford.edu |
Russ Allbery reports that the parsing code for setpw responses uses
incorrect mask-and-shift logic for the first byte of the message length,
and Jeff Altman points out that this is also true for three other lengths.
This bug is no longer present in trunk due to code consolidation, so I'm
attaching a patch and marking it for pullup to 1.9. This is not a very
high priority issue, since it's just an error reporting failure in rare
deployments.
incorrect mask-and-shift logic for the first byte of the message length,
and Jeff Altman points out that this is also true for three other lengths.
This bug is no longer present in trunk due to code consolidation, so I'm
attaching a patch and marking it for pullup to 1.9. This is not a very
high priority issue, since it's just an error reporting failure in rare
deployments.
Index: lib/krb5/krb/chpw.c
===================================================================
--- lib/krb5/krb/chpw.c (revision 24707)
+++ lib/krb5/krb/chpw.c (working copy)
@@ -379,7 +379,7 @@
** validate the message length -
** length is big endian
*/
- message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ message_length = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
** make sure the message length and packet length agree -
@@ -389,7 +389,7 @@
/*
** get the version number -
*/
- version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ version_number = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
** make sure we support the version returned -
@@ -405,7 +405,7 @@
/*
** get the reply length -
*/
- ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ap_rep.length = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
** validate ap_rep length agrees with the packet length -
@@ -468,7 +468,7 @@
*/
ptr = clearresult.data;
- *result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ *result_code = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
===================================================================
--- lib/krb5/krb/chpw.c (revision 24707)
+++ lib/krb5/krb/chpw.c (working copy)
@@ -379,7 +379,7 @@
** validate the message length -
** length is big endian
*/
- message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ message_length = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
** make sure the message length and packet length agree -
@@ -389,7 +389,7 @@
/*
** get the version number -
*/
- version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ version_number = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
** make sure we support the version returned -
@@ -405,7 +405,7 @@
/*
** get the reply length -
*/
- ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ap_rep.length = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
** validate ap_rep length agrees with the packet length -
@@ -468,7 +468,7 @@
*/
ptr = clearresult.data;
- *result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ *result_code = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*