From d7efa6c29ff7bba47e42d0c4df89f5a40dfa2752 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 19 Mar 2008 23:03:59 +0000 Subject: [PATCH] Apply patch for MITKRB5-SA-2008-001 ticket: 5919 version_fixed: 1.6.4 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20283 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/dispatch.c | 4 +- src/kdc/kerberos_v4.c | 104 +++++++++++++++++------------------------- src/kdc/network.c | 4 +- 3 files changed, 48 insertions(+), 64 deletions(-) diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c index 1d7c3bed7..d32355c00 100644 --- a/src/kdc/dispatch.c +++ b/src/kdc/dispatch.c @@ -1,7 +1,7 @@ /* * kdc/dispatch.c * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990, 2007 by the Massachusetts Institute of Technology. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -107,7 +107,7 @@ dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_data **response) retval = KRB5KRB_AP_ERR_MSG_TYPE; #ifndef NOCACHE /* put the response into the lookaside buffer */ - if (!retval) + if (!retval && *response != NULL) kdc_insert_lookaside(pkt, *response); #endif diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c index 9f93e451e..2c4b56705 100644 --- a/src/kdc/kerberos_v4.c +++ b/src/kdc/kerberos_v4.c @@ -1,7 +1,7 @@ /* * kdc/kerberos_v4.c * - * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute + * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute * of Technology. * All Rights Reserved. * @@ -87,11 +87,6 @@ extern int krbONE; #define MSB_FIRST 0 /* 68000, IBM RT/PC */ #define LSB_FIRST 1 /* Vax, PC8086 */ -int f; - -/* XXX several files in libkdb know about this */ -char *progname; - #ifndef BACKWARD_COMPAT static Key_schedule master_key_schedule; static C_Block master_key; @@ -143,10 +138,8 @@ static void hang(void); #include "com_err.h" #include "extern.h" /* to pick up master_princ */ -static krb5_data *response; - -void kerberos_v4 (struct sockaddr_in *, KTEXT); -void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); +static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); +static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); static int set_tgtkey (char *, krb5_kvno, krb5_boolean); /* Attributes converted from V5 to V4 - internal representation */ @@ -262,12 +255,12 @@ process_v4(const krb5_data *pkt, const krb5_fulladdr *client_fulladdr, (void) klog(L_KRB_PERR, "V4 request too long."); return KRB5KRB_ERR_FIELD_TOOLONG; } + memset( &v4_pkt, 0, sizeof(v4_pkt)); v4_pkt.length = pkt->length; v4_pkt.mbz = 0; memcpy( v4_pkt.dat, pkt->data, pkt->length); - kerberos_v4( &client_sockaddr, &v4_pkt); - *resp = response; + *resp = kerberos_v4( &client_sockaddr, &v4_pkt); return(retval); } @@ -300,19 +293,20 @@ char * v4_klog( int type, const char *format, ...) } static -int krb4_sendto(int s, const char *msg, int len, int flags, - const struct sockaddr *to, int to_len) +krb5_data *make_response(const char *msg, int len) { + krb5_data *response; + if ( !(response = (krb5_data *) malloc( sizeof *response))) { - return ENOMEM; + return 0; } if ( !(response->data = (char *) malloc( len))) { krb5_free_data(kdc_context, response); - return ENOMEM; + return 0; } response->length = len; memcpy( response->data, msg, len); - return( 0); + return response; } static void hang(void) @@ -586,7 +580,7 @@ static void str_length_check(char *str, int max_size) *cp = 0; } -void +static krb5_data * kerberos_v4(struct sockaddr_in *client, KTEXT pkt) { static KTEXT_ST rpkt_st; @@ -599,7 +593,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) KTEXT auth = &auth_st; AUTH_DAT ad_st; AUTH_DAT *ad = &ad_st; - + krb5_data *response = 0; static struct in_addr client_host; static int msg_byte_order; @@ -637,8 +631,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) inet_ntoa(client_host)); /* send an error reply */ req_name_ptr = req_inst_ptr = req_realm_ptr = ""; - kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); } /* check packet version */ @@ -648,8 +641,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) KRB_PROT_VERSION, req_version, 0); /* send an error reply */ req_name_ptr = req_inst_ptr = req_realm_ptr = ""; - kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); } msg_byte_order = req_msg_type & 1; @@ -707,10 +699,10 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, &a_name_data, &k5key, 0, &ck5life))) { - kerb_err_reply(client, pkt, i, "check_princ failed"); + response = kerb_err_reply(client, pkt, i, "check_princ failed"); a_name_data.key_low = a_name_data.key_high = 0; krb5_free_keyblock_contents(kdc_context, &k5key); - return; + return response; } /* don't use k5key for client */ krb5_free_keyblock_contents(kdc_context, &k5key); @@ -722,11 +714,11 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) /* this does all the checking */ if ((i = check_princ(service, instance, lifetime, &s_name_data, &k5key, 1, &sk5life))) { - kerb_err_reply(client, pkt, i, "check_princ failed"); + response = kerb_err_reply(client, pkt, i, "check_princ failed"); a_name_data.key_high = a_name_data.key_low = 0; s_name_data.key_high = s_name_data.key_low = 0; krb5_free_keyblock_contents(kdc_context, &k5key); - return; + return response; } /* Bound requested lifetime with service and user */ v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); @@ -797,8 +789,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, a_name_data.key_version, ciph); - krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, - (struct sockaddr *) client, sizeof (struct sockaddr_in)); + response = make_response((char *) rpkt->dat, rpkt->length); memset(&a_name_data, 0, sizeof(a_name_data)); memset(&s_name_data, 0, sizeof(s_name_data)); break; @@ -824,9 +815,8 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) lt = klog(L_KRB_PERR, "APPL request with realm length too long from %s", inet_ntoa(client_host)); - kerb_err_reply(client, pkt, RD_AP_INCON, - "realm length too long"); - return; + return kerb_err_reply(client, pkt, RD_AP_INCON, + "realm length too long"); } auth->length += (int) *(pkt->dat + auth->length) + @@ -835,9 +825,8 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) lt = klog(L_KRB_PERR, "APPL request with funky tkt or req_id length from %s", inet_ntoa(client_host)); - kerb_err_reply(client, pkt, RD_AP_INCON, - "funky tkt or req_id length"); - return; + return kerb_err_reply(client, pkt, RD_AP_INCON, + "funky tkt or req_id length"); } memcpy(auth->dat, pkt->dat, auth->length); @@ -848,18 +837,16 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { lt = klog(L_ERR_UNK, "Cross realm ticket from %s denied by policy,", tktrlm); - kerb_err_reply(client, pkt, - KERB_ERR_PRINCIPAL_UNKNOWN, lt); - return; + return kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); } if (set_tgtkey(tktrlm, kvno, 0)) { - lt = klog(L_ERR_UNK, + lt = klog(L_ERR_UNK, "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", tktrlm, kvno, inet_ntoa(client_host)); /* no better error code */ - kerb_err_reply(client, pkt, - KERB_ERR_PRINCIPAL_UNKNOWN, lt); - return; + return kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); } kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, ad, 0); @@ -869,9 +856,8 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", tktrlm, kvno, inet_ntoa(client_host)); /* no better error code */ - kerb_err_reply(client, pkt, - KERB_ERR_PRINCIPAL_UNKNOWN, lt); - return; + return kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); } kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, ad, 0); @@ -881,8 +867,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", inet_ntoa(client_host), krb_get_err_text(kerno)); req_name_ptr = req_inst_ptr = req_realm_ptr = ""; - kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); - return; + return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); } ptr = (char *) pkt->dat + auth->length; @@ -904,22 +889,21 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) req_realm_ptr = ad->prealm; if (strcmp(ad->prealm, tktrlm)) { - kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't hop realms"); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't hop realms"); } if (!strcmp(service, "changepw")) { - kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't authorize password changed based on TGT"); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't authorize password changed based on TGT"); } kerno = check_princ(service, instance, req_life, &s_name_data, &k5key, 1, &sk5life); if (kerno) { - kerb_err_reply(client, pkt, kerno, "check_princ failed"); + response = kerb_err_reply(client, pkt, kerno, + "check_princ failed"); s_name_data.key_high = s_name_data.key_low = 0; krb5_free_keyblock_contents(kdc_context, &k5key); - return; + return response; } /* Bound requested lifetime with service and user */ v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); @@ -975,8 +959,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) rpkt = create_auth_reply(ad->pname, ad->pinst, ad->prealm, time_ws, 0, 0, 0, ciph); - krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, - (struct sockaddr *) client, sizeof (struct sockaddr_in)); + response = make_response((char *) rpkt->dat, rpkt->length); memset(&s_name_data, 0, sizeof(s_name_data)); break; } @@ -1001,6 +984,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) break; } } + return response; } @@ -1010,7 +994,7 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) * client. */ -void +static krb5_data * kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) { static KTEXT_ST e_pkt_st; @@ -1021,9 +1005,7 @@ kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string strncat(e_msg, string, sizeof(e_msg) - 1 - 19); cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, err, e_msg); - krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, - (struct sockaddr *) client, sizeof (struct sockaddr_in)); - + return make_response((char *) e_pkt->dat, e_pkt->length); } static int diff --git a/src/kdc/network.c b/src/kdc/network.c index 3cb4400df..45604466b 100644 --- a/src/kdc/network.c +++ b/src/kdc/network.c @@ -1,7 +1,7 @@ /* * kdc/network.c * - * Copyright 1990,2000 by the Massachusetts Institute of Technology. + * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -747,6 +747,8 @@ static void process_packet(struct connection *conn, const char *prog, com_err(prog, retval, "while dispatching (udp)"); return; } + if (response == NULL) + return; cc = sendto(port_fd, response->data, (socklen_t) response->length, 0, (struct sockaddr *)&saddr, saddr_len); if (cc == -1) { -- 2.26.2