* cc_mslsa.c: the MSLSA code was crashing on Pismere machines when

     logging on with cross realm credentials.  On these machines there are
     8 tickets within the LSA cache from two different realms.  One of the
     krbtgt/CLIENT-REALM@CLIENT-REALM tickets (not the Initial ticket but
     a Forwarded ticket) is inaccessible to the ms2mit.exe and leash32.exe
     processes.  The attempt to access the ticket returns a SubStatus code
     of STATUS_LOGON_FAILURE (0xC000006DL) which is supposed to mean that
     the logon attempt was invalid due to bad authentication information.
     kerbtray has no problem listing this ticket.  The other seven tickets
     in the cache including the Initial Ticket are accessible.  Modified
     krb5_lcc_next_cred() to skip to the next ticket if an attempt to read
     a single ticket fails.

ticket: 2184
tags: pullup
target_version: 1.3.2

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15997 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index c7ba3ac6a11587b8cb655c199ac7a624055fa992..e3b86e6eebe7485dd81f2a328041d0376941b42e 100644 (file)
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,3 +1,18 @@
+2004-02-02  Jeffrey Altman <jaltman@mit.edu>
+
+   * cc_mslsa.c: the MSLSA code was crashing on Pismere machines when 
+     logging on with cross realm credentials.  On these machines there are
+     8 tickets within the LSA cache from two different realms.  One of the
+     krbtgt/CLIENT-REALM@CLIENT-REALM tickets (not the Initial ticket but
+     a Forwarded ticket) is inaccessible to the ms2mit.exe and leash32.exe
+     processes.  The attempt to access the ticket returns a SubStatus code
+     of STATUS_LOGON_FAILURE (0xC000006DL) which is supposed to mean that
+     the logon attempt was invalid due to bad authentication information.
+     kerbtray has no problem listing this ticket.  The other seven tickets
+     in the cache including the Initial Ticket are accessible.  Modified 
+     krb5_lcc_next_cred() to skip to the next ticket if an attempt to read
+     a single ticket fails.
+
 2004-01-31  Jeffrey Altman <jaltman@mit.edu>
 
    * cc_mslsa.c: Optimize the get next logic by storing a handle to

diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index c0df862f52326824e42b8bb4710d6a4cc4db592c..9c3a57bb9d5dcd37e3a68ad1828eb12a2774c618 100644 (file)
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -62,6 +62,7 @@
 #define SECURITY_WIN32
 #include <security.h>
 #include <ntsecapi.h>
+#include <ntstatus.h>
 
 #define MAX_MSG_SIZE 256
 #define MAX_MSPRINC_SIZE 1024
@@ -1265,18 +1266,25 @@ krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor,
     krb5_lcc_cursor *lcursor = (krb5_lcc_cursor *) *cursor;
     krb5_lcc_data *data = (krb5_lcc_data *)id->data;
     KERB_EXTERNAL_TICKET *msticket;
+    krb5_error_code  retval = KRB5_OK;
 
   next_cred:
-    if ( lcursor->index >= lcursor->response->CountOfTickets )
-        return KRB5_CC_END;
+    if ( lcursor->index >= lcursor->response->CountOfTickets ) {
+        if (retval == KRB5_OK)
+            return KRB5_CC_END;
+        else {
+            LsaFreeReturnBuffer(lcursor->mstgt);
+            LsaFreeReturnBuffer(lcursor->response);
+            free(*cursor);
+            *cursor = 0;
+            return retval;
+        }
+    }
 
     if (!GetMSCacheTicketFromCacheInfo(data->LogonHandle, data->PackageId,
                                         &lcursor->response->Tickets[lcursor->index++],&msticket)) {
-        LsaFreeReturnBuffer(lcursor->mstgt);
-        LsaFreeReturnBuffer(lcursor->response);
-        free(*cursor);
-        *cursor = 0;
-        return KRB5_FCC_INTERNAL;
+        retval = KRB5_FCC_INTERNAL;
+        goto next_cred;
     }
 
     /* Don't return tickets with NULL Session Keys */
@@ -1309,10 +1317,13 @@ krb5_lcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *curso
 {
     krb5_lcc_cursor *lcursor = (krb5_lcc_cursor *) *cursor;
 
-    LsaFreeReturnBuffer(lcursor->mstgt);
-    LsaFreeReturnBuffer(lcursor->response);
-    free(*cursor);
+    if ( lcursor ) {
+        LsaFreeReturnBuffer(lcursor->mstgt);
+        LsaFreeReturnBuffer(lcursor->response);
+        free(*cursor);
+    }
     *cursor = 0;
+
     return KRB5_OK;
 }