From crawdad@gungnir.fnal.gov Tue Jan 11 10:29:10 2000
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id KAA10331
for <bugs@RT-11.MIT.EDU>; Tue, 11 Jan 2000 10:29:06 -0500 (EST)
Received: from gungnir.fnal.gov by MIT.EDU with SMTP
id AA03413; Tue, 11 Jan 00 10:30:04 EST
Received: (from crawdad@localhost)
by gungnir.fnal.gov (8.9.1/8.9.1) id JAA27051;
Tue, 11 Jan 2000 09:29:05 -0600 (CST)
Message-Id: <200001111529.JAA27051@gungnir.fnal.gov>
Date: Tue, 11 Jan 2000 09:29:05 -0600 (CST)
From: crawdad@fnal.gov
Reply-To: crawdad@fnal.gov
To: krb5-bugs@MIT.EDU
Subject: lucky bad code in lib/krb5/krb/preauth2.c
X-Send-Pr-Version: 3.99
System: SunOS gungnir.fnal.gov 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-1
Architecture: sun4
#define PA_REAL 0x0001
#define PA_INFO 0x0002
/* ... */
static int paorder[] = { PA_INFO, PA_REAL };
/* ... */
for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) {
realdone = 0;
for (i=0; in_padata[i] && !realdone; i++) {
/* ... */
if (h == PA_REAL)
realdone = 1;
}
}
}
}
You can see that it's pure dumb luck that PA_REAL, with *value* 1,
happens to be the second thing in paorder[], with *index* 1.
Responsible-Changed-From-To: krb5-unassigned->raeburn
Responsible-Changed-By: raeburn
Responsible-Changed-When: Fri Feb 25 21:14:51 2000
Responsible-Changed-Why:
I've got it...
State-Changed-From-To: open-feedback
State-Changed-By: raeburn
State-Changed-When: Fri Feb 25 21:14:57 2000
State-Changed-Why:
Checked in for 1.2.
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id KAA10331
for <bugs@RT-11.MIT.EDU>; Tue, 11 Jan 2000 10:29:06 -0500 (EST)
Received: from gungnir.fnal.gov by MIT.EDU with SMTP
id AA03413; Tue, 11 Jan 00 10:30:04 EST
Received: (from crawdad@localhost)
by gungnir.fnal.gov (8.9.1/8.9.1) id JAA27051;
Tue, 11 Jan 2000 09:29:05 -0600 (CST)
Message-Id: <200001111529.JAA27051@gungnir.fnal.gov>
Date: Tue, 11 Jan 2000 09:29:05 -0600 (CST)
From: crawdad@fnal.gov
Reply-To: crawdad@fnal.gov
To: krb5-bugs@MIT.EDU
Subject: lucky bad code in lib/krb5/krb/preauth2.c
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 812
>Category: krb5-libs
>Synopsis: Buggy test works by luck
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: raeburn
>State: feedback
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Jan 11 10:30:01 EST 2000
>Last-Modified: Fri Feb 25 21:15:08 EST 2000
>Originator: Matt Crawford
>Organization:
Fermilab>Category: krb5-libs
>Synopsis: Buggy test works by luck
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: raeburn
>State: feedback
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Jan 11 10:30:01 EST 2000
>Last-Modified: Fri Feb 25 21:15:08 EST 2000
>Originator: Matt Crawford
>Organization:
Show quoted text
>Release: krb5-1.1.1
>Environment:
Source code error>Environment:
System: SunOS gungnir.fnal.gov 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-1
Architecture: sun4
Show quoted text
>Description:
Excerpts from lib/krb5/krb/preauth2.c ...#define PA_REAL 0x0001
#define PA_INFO 0x0002
/* ... */
static int paorder[] = { PA_INFO, PA_REAL };
/* ... */
for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) {
realdone = 0;
for (i=0; in_padata[i] && !realdone; i++) {
/* ... */
if (h == PA_REAL)
realdone = 1;
}
}
}
}
You can see that it's pure dumb luck that PA_REAL, with *value* 1,
happens to be the second thing in paorder[], with *index* 1.
Show quoted text
>How-To-Repeat:
inspectionShow quoted text
>Fix:
That if condition ought to read "if (paorder[h] == PA_REAL)".Show quoted text
>Audit-Trail:
Responsible-Changed-From-To: krb5-unassigned->raeburn
Responsible-Changed-By: raeburn
Responsible-Changed-When: Fri Feb 25 21:14:51 2000
Responsible-Changed-Why:
I've got it...
State-Changed-From-To: open-feedback
State-Changed-By: raeburn
State-Changed-When: Fri Feb 25 21:14:57 2000
State-Changed-Why:
Checked in for 1.2.
Show quoted text
>Unformatted: