Subject: | spurious "Communication failure" from kadmind with certain policy values |
Marc Richter observed the error
'get_policy: Communication failure with server while retrieving policy "admin"'
when attempting to retrieve a policy with a pw_max_life value that is greater than 2**31 but
less than 2**32. The libkadm5 RPCs use xdr_long() instead of xdr_uint32() in a few places for
because the relevant fields in the kadm5_policy_ent_rec structure are declared as long.
xdr_long() is only supposed to work for signed 32-bit integer values, so on a 64-bit platform,
the C long type can represent values that are outside of this range, causing xdr_long() to fail
on the server.
libkadm5 should probably either reject such problematic values, or clamp them to reasonable
bounds. There might also need to be handling of existing databases containing the
problematic values.
Further background information at
http://mailman.mit.edu/pipermail/kerberos/2014-December/020408.html
'get_policy: Communication failure with server while retrieving policy "admin"'
when attempting to retrieve a policy with a pw_max_life value that is greater than 2**31 but
less than 2**32. The libkadm5 RPCs use xdr_long() instead of xdr_uint32() in a few places for
because the relevant fields in the kadm5_policy_ent_rec structure are declared as long.
xdr_long() is only supposed to work for signed 32-bit integer values, so on a 64-bit platform,
the C long type can represent values that are outside of this range, causing xdr_long() to fail
on the server.
libkadm5 should probably either reject such problematic values, or clamp them to reasonable
bounds. There might also need to be handling of existing databases containing the
problematic values.
Further background information at
http://mailman.mit.edu/pipermail/kerberos/2014-December/020408.html