From 3c069b7b1a74fd776431a4c792a4bc5163b03328 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Tue, 1 Apr 2003 22:37:36 +0000 Subject: [PATCH] Red Hat's krb5_princ_size fixes ticket: 1397 status: open tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15312 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/telnet/libtelnet/ChangeLog | 5 +++++ src/appl/telnet/libtelnet/kerberos5.c | 4 ++++ src/clients/ksu/ChangeLog | 7 +++++++ src/clients/ksu/heuristic.c | 2 +- src/clients/ksu/krb_auth_su.c | 4 +++- src/kdc/ChangeLog | 7 +++++++ src/kdc/do_tgs_req.c | 2 +- src/kdc/kdc_util.c | 6 ++++-- src/krb524/ChangeLog | 5 +++++ src/krb524/krb524d.c | 2 +- src/lib/krb5/keytab/ChangeLog | 7 +++++++ src/lib/krb5/keytab/kt_file.c | 10 +++++----- src/lib/krb5/krb/ChangeLog | 11 +++++++++++ src/lib/krb5/krb/gc_frm_kdc.c | 4 +++- src/lib/krb5/krb/parse.c | 9 ++++++--- src/lib/krb5/krb/srv_rcache.c | 3 +++ 16 files changed, 73 insertions(+), 15 deletions(-) diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog index 899927446..11380530f 100644 --- a/src/appl/telnet/libtelnet/ChangeLog +++ b/src/appl/telnet/libtelnet/ChangeLog @@ -1,3 +1,8 @@ +2003-04-01 Nalin Dahyabhai + + * kerberos5.c (kerberos5_is): Check principal name length before + examining components. + 2003-01-07 Ken Raeburn * Makefile.orig: Deleted. diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c index 3a1c8f24e..eb150a7c0 100644 --- a/src/appl/telnet/libtelnet/kerberos5.c +++ b/src/appl/telnet/libtelnet/kerberos5.c @@ -446,6 +446,10 @@ kerberos5_is(ap, data, cnt) * first component of a service name especially since * the default is of length 4. */ + if (krb5_princ_size(telnet_context,ticket->server) < 1) { + (void) strcpy(errbuf, "malformed service name"); + goto errout; + } if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) { char princ[256]; strncpy(princ, diff --git a/src/clients/ksu/ChangeLog b/src/clients/ksu/ChangeLog index 44415a033..17a1dffe8 100644 --- a/src/clients/ksu/ChangeLog +++ b/src/clients/ksu/ChangeLog @@ -1,3 +1,10 @@ +2003-04-01 Nalin Dahyabhai + + * heuristic.c (get_closest_principal): Don't try to examine + principal name components after the last. + * krb_auth_su.c (get_best_principal): Check principal name length + before examining components. + 2002-12-23 Ezra Peisach * authorization.c, heuristic.c, ksu.h: Use uid_t instead of int in diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c index c79f94369..85b94b5e2 100644 --- a/src/clients/ksu/heuristic.c +++ b/src/clients/ksu/heuristic.c @@ -364,7 +364,7 @@ krb5_error_code get_closest_principal(context, plist, client, found) krb5_data *p2 = krb5_princ_component(context, temp_client, j); - if ((p1->length != p2->length) || + if (!p1 || !p2 || (p1->length != p2->length) || memcmp(p1->data,p2->data,p1->length)){ got_one = FALSE; break; diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c index 6e76149c1..8e1834240 100644 --- a/src/clients/ksu/krb_auth_su.c +++ b/src/clients/ksu/krb_auth_su.c @@ -547,7 +547,9 @@ krb5_error_code get_best_principal(context, plist, client) krb5_princ_realm(context, temp_client)->length))){ - if(nelem){ + if (nelem && + krb5_princ_size(context, *client) > 0 && + krb5_princ_size(context, temp_client) > 0) { krb5_data *p1 = krb5_princ_component(context, *client, 0); krb5_data *p2 = diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 29bec03c5..11bd82825 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,10 @@ +2003-04-01 Nalin Dahyabhai + + * do_tgs_req.c (process_tgs_req): Check that principal name + component 1 is present before examining it. + * kdc_util.c (krb5_is_tgs_principal, validate_tgs_request): Check + principal name length before examining components. + 2003-03-28 Tom Yu * kdc_preauth.c (verify_enc_timestamp): Save decryption error, in diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 0c6116e21..c8b679bc2 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -174,7 +174,7 @@ tgt_again: krb5_data *tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1); - if (server_1->length != tgs_1->length || + if (!tgs_1 || server_1->length != tgs_1->length || memcmp(server_1->data, tgs_1->data, tgs_1->length)) { krb5_db_free_principal(kdc_context, &server, nprincs); find_alternate_tgs(request, &server, &more, &nprincs); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 736c51d12..9e9aa3f98 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -150,7 +150,8 @@ realm_compare(krb5_principal princ1, krb5_principal princ2) */ krb5_boolean krb5_is_tgs_principal(krb5_principal principal) { - if ((krb5_princ_component(kdc_context, principal, 0)->length == + if ((krb5_princ_size(kdc_context, principal) > 0) && + (krb5_princ_component(kdc_context, principal, 0)->length == KRB5_TGS_NAME_SIZE) && (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data, KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE))) @@ -1162,7 +1163,8 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, return KRB_AP_ERR_NOT_US; } /* ...and that the second component matches the server realm... */ - if ((krb5_princ_component(kdc_context, ticket->server, 1)->length != + if ((krb5_princ_size(kdc_context, ticket->server) <= 1) || + (krb5_princ_component(kdc_context, ticket->server, 1)->length != krb5_princ_realm(kdc_context, request->server)->length) || memcmp(krb5_princ_component(kdc_context, ticket->server, 1)->data, krb5_princ_realm(kdc_context, request->server)->data, diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index ba03cc0da..80e6c891f 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,8 @@ +2003-04-01 Nalin Dahyabhai + + * krb524d.c (do_connection): Use krb5_princ_size rather than + direct structure field access. + 2003-03-16 Sam Hartman * krb524d.c (handle_classic_v4): Do not support 3des enctypes as diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c index 0dce9cbc9..76025067e 100644 --- a/src/krb524/krb524d.c +++ b/src/krb524/krb524d.c @@ -350,7 +350,7 @@ krb5_error_code do_connection(s, context) if (debug) printf("V5 ticket decoded\n"); - if( v5tkt->server->length >= 1 + if( krb5_princ_size(context, v5tkt->server) >= 1 &&krb5_princ_component(context, v5tkt->server, 0)->length == 3 &&strncmp(krb5_princ_component(context, v5tkt->server, 0)->data, "afs", 3) == 0) { diff --git a/src/lib/krb5/keytab/ChangeLog b/src/lib/krb5/keytab/ChangeLog index ef0e702f1..864a412e7 100644 --- a/src/lib/krb5/keytab/ChangeLog +++ b/src/lib/krb5/keytab/ChangeLog @@ -1,3 +1,10 @@ +2003-04-01 Nalin Dahyabhai + + * kt_file.c (krb5_ktfileint_internal_read_entry): Use + krb5_princ_size instead of direct field access. + (krb5_ktfileint_write_entry, krb5_ktfileint_size_entry): + Likewise. + 2003-02-08 Tom Yu * kt_file.c (krb5_ktfile_get_entry): Fix comment; not going to diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c index 9e4f15aa7..9b7b9ae8f 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c @@ -1324,7 +1324,7 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke return 0; fail: - for (i = 0; i < ret_entry->principal->length; i++) { + for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) { princ = krb5_princ_component(context, ret_entry->principal, i); if (princ->data) free(princ->data); @@ -1375,9 +1375,9 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent } if (KTVERSION(id) == KRB5_KT_VNO_1) { - count = (krb5_int16) entry->principal->length + 1; + count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1; } else { - count = htons((u_short) entry->principal->length); + count = htons((u_short) krb5_princ_size(context, entry->principal)); } if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) { @@ -1396,7 +1396,7 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent goto abend; } - count = (krb5_int16) entry->principal->length; + count = (krb5_int16) krb5_princ_size(context, entry->principal); for (i = 0; i < count; i++) { princ = krb5_princ_component(context, entry->principal, i); size = princ->length; @@ -1494,7 +1494,7 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i krb5_int32 total_size, i; krb5_error_code retval = 0; - count = (krb5_int16) entry->principal->length; + count = (krb5_int16) krb5_princ_size(context, entry->principal); total_size = sizeof(count); total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16)); diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index f72e6caeb..59ab6802d 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,14 @@ +2003-04-01 Nalin Dahyabhai + + * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name + length before examining components. + + * parse.c (krb5_parse_name): Double-check principal name length + before filling in components. + + * srv_rcache.c (krb5_get_server_rcache): Check for null pointer + supplied in place of name. + 2003-04-01 Sam Hartman * rd_req.c (krb5_rd_req): If AUTH_CONTEXT_DO_TIME is cleared, diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index fdf00e6b1..b5c99428a 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -341,7 +341,9 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds for (next_server = top_server; *next_server; next_server++) { krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1); krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1); - if (realm_1->length == realm_2->length && + if (realm_1 != NULL && + realm_2 != NULL && + realm_1->length == realm_2->length && !memcmp(realm_1->data, realm_2->data, realm_1->length)) { break; } diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c index abbcfbe2d..3debb6acf 100644 --- a/src/lib/krb5/krb/parse.c +++ b/src/lib/krb5/krb/parse.c @@ -170,11 +170,13 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip cp++; size++; } else if (c == COMPONENT_SEP) { - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; size = 0; i++; } else if (c == REALM_SEP) { - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; size = 0; parsed_realm = cp+1; } else @@ -183,7 +185,8 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip if (parsed_realm) krb5_princ_realm(context, principal)->length = size; else - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; if (i + 1 != components) { #if !defined(_WIN32) && !defined(macintosh) fprintf(stderr, diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c index aa41bc52b..e2e5ed690 100644 --- a/src/lib/krb5/krb/srv_rcache.c +++ b/src/lib/krb5/krb/srv_rcache.c @@ -48,6 +48,9 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache unsigned long uid = geteuid(); #endif + if (piece == NULL) + return ENOMEM; + rcache = (krb5_rcache) malloc(sizeof(*rcache)); if (!rcache) return ENOMEM; -- 2.26.2