[3821] in Kerberos
bug found in kdc (w/fix)
daemon@ATHENA.MIT.EDU (Dave McGuire)
Sat Sep 10 20:08:22 1994
To: kerberos@MIT.EDU
Date: 10 Sep 1994 19:46:27 -0400
From: mcguire@rocinante.digex.net (Dave McGuire)
Hey...Just found a bug in krb5kdc relating to cross-realm
authentication. It results in a "PROCESS_TGS: failed lineage check"
error when the realm names are different but are of the same length.
In the following little snippet of code, the "||" should be "&&", as
far as I can tell. Hopefully someone more familiar with the internals
will sanity check this for me; but it seems to be the Right Thing(tm).
> if (foreign_server) {
> krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
> krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
==> > if (tkt_realm->length == tgs_realm->length ||
> !memcmp(tkt_realm->data, tgs_realm->data, tgs_realm->length)) {
> /* someone in a foreign realm claiming to be local */
> syslog(LOG_INFO, "PROCESS_TGS: failed lineage check");
> retval = KRB5KDC_ERR_POLICY;
> goto cleanup;
> }
> }
The following patch fixes this:
---cut here---
*** kdc_util.c Sat Sep 10 19:41:20 1994
--- kdc_util.c~ Sat Jul 16 02:00:59 1994
***************
*** 294,298 ****
krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
! if (tkt_realm->length == tgs_realm->length ||
!memcmp(tkt_realm->data, tgs_realm->data, tgs_realm->length)) {
/* someone in a foreign realm claiming to be local */
--- 294,298 ----
krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
! if (tkt_realm->length == tgs_realm->length &&
!memcmp(tkt_realm->data, tgs_realm->data, tgs_realm->length)) {
/* someone in a foreign realm claiming to be local */
---cut here---
-Dave McGuire
Operations
Digital Express Group, Incorporated
mcguire@digex.net
