[1847] in Release_7.7_team
urgent: DCE-Kerberos interop bug in asn1buf.c
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Jun 30 20:59:49 1999
Date: Wed, 30 Jun 1999 20:59:40 -0400 (EDT)
Message-Id: <199907010059.UAA17062@saint-elmos-fire.mit.edu>
To: pismere-bugs@MIT.EDU, release-team@MIT.EDU, moof@MIT.EDU
Cc: krbcore@MIT.EDU
From: Tom Yu <tlyu@MIT.EDU>
I know that Athena, pismere, and macdev will be putting out binary
releases containing Kerberos soon, so this is a somewhat urgent issue.
There is a bug in asn1buf.c with regards to decoding the BER
constructed-indefinite-length encoding. This encoding is not
permitted by the Kerberos protocol, but some DCE Kerberos servers send
it anyway. The impact of the bug is that structures sent by DCE
Kerberos implementations will not decode properly. This bug is not
present in 1.0.5, but is present in 1.0.6 and in krb5-current later
than 1998-OCT, and is the result of a patch by Marc Horowitz to skip
extra unexpected fields in an ASN.1 structure (which is also against
the protocol spec, but may be allowable in future versions of the
protocol despite my efforts to prevent it).
krb5/src/lib/krb5/asn1buf.c from revisions 5.15 to 5.16 contains the
relevant changes; the actual diff follows this message.
You should apply this change to any distribution you intend to make
wherein interoperability with DCE Kerberos servers is an issue. It
may not be an issue with Athena, but it is almost certainly an issue
for the Windows and MacOS binary releases intending to support SAP,
since non-MIT sites may need these binary releases and may also be
running DCE Kerberos servers in their environments.
Please note that this is an interm fix. The ability to skip trailing
unexpected fields in a structure will not be present in the case of a
structure that has been encoded as constructed-indefinite-length, and
I will at some point soon come up with a more "correct" fix, which may
involve tweaking the ASN.1 encode/decode internals in a non-trivial
fashion.
---Tom
Index: asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.15
retrieving revision 5.16
diff -c -r5.15 -r5.16
*** asn1buf.c 1998/10/30 02:54:57 5.15
--- asn1buf.c 1999/07/01 00:38:28 5.16
***************
*** 93,99 ****
asn1buf * buf;
asn1buf * subbuf;
{
! buf->next = subbuf->bound + 1;
}
asn1_error_code asn1buf_destroy(buf)
--- 93,107 ----
asn1buf * buf;
asn1buf * subbuf;
{
! if (subbuf->bound != buf->bound) {
! buf->next = subbuf->bound + 1;
! } else {
! /*
! * indefinite length; this will suck
! * XXX - need to skip fields somehow
! */
! buf->next = subbuf->next;
! }
}
asn1_error_code asn1buf_destroy(buf)
