Skip Menu |
 

Subject: setpw response parsing fails for lengths above 255
CC: rra@stanford.edu
Russ Allbery reports that the parsing code for setpw responses uses
incorrect mask-and-shift logic for the first byte of the message length,
and Jeff Altman points out that this is also true for three other lengths.
This bug is no longer present in trunk due to code consolidation, so I'm
attaching a patch and marking it for pullup to 1.9. This is not a very
high priority issue, since it's just an error reporting failure in rare
deployments.
Download patch.txt
text/plain 1.2KiB
Index: lib/krb5/krb/chpw.c
===================================================================
--- lib/krb5/krb/chpw.c (revision 24707)
+++ lib/krb5/krb/chpw.c (working copy)
@@ -379,7 +379,7 @@
** validate the message length -
** length is big endian
*/
- message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ message_length = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
** make sure the message length and packet length agree -
@@ -389,7 +389,7 @@
/*
** get the version number -
*/
- version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ version_number = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
** make sure we support the version returned -
@@ -405,7 +405,7 @@
/*
** get the reply length -
*/
- ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ap_rep.length = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;
/*
** validate ap_rep length agrees with the packet length -
@@ -468,7 +468,7 @@
*/
ptr = clearresult.data;

- *result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ *result_code = (((ptr[0]&0xff) << 8) | (ptr[1]&0xff));
ptr += 2;

/*
From: tlyu@mit.edu
Subject: SVN Commit

Fix an incorrect shift-and-mask length decoding operation reported by
Russ Allbery.

https://github.com/krb5/krb5/commit/bc3aa03e3446ac9c0c36dbb3c65c27268dcde837
Commit By: tlyu
Revision: 24958
Changed Files:
U branches/krb5-1-9/src/lib/krb5/krb/chpw.c