[673] in Kerberos
Bug in Kerberos server
daemon@TELECOM.MIT.EDU (John T Kohl)
Tue Mar 14 23:46:21 1989
From: John T Kohl <jtkohl@ATHENA.MIT.EDU>
To: kerberos@ATHENA.MIT.EDU
Cc: jis@ATHENA.MIT.EDU, kerberos-bugs@ATHENA.MIT.EDU, krbdev@ATHENA.MIT.EDU
A bug in the Kerberos server has been found and fixed. Apply the
following fix to your sources (server/kerberos.c). Using the 'patch'
program should work fine.
This patch is also available as patch1 in the Kerberos distribution on
ATHENA-DIST
(retrieve pub/kerberos/README.ftp for information about that
distribution).
John Kohl <jtkohl@ATHENA.MIT.EDU> Digital Equipment Corporation/Project Athena
---- cut here ---
*** kerberos.c Tue Jan 24 20:45:46 1989
--- /mit/kerberos/src/server/kerberos.c Tue Mar 14 19:55:53 1989
***************
*** 1,6 ****
/*
* $Source: /mit/kerberos/src/server/RCS/kerberos.c,v $
! * $Author: root $
*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
--- 1,6 ----
/*
* $Source: /mit/kerberos/src/server/RCS/kerberos.c,v $
! * $Author: jon $
*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
***************
*** 11,17 ****
#ifndef lint
static char *rcsid_kerberos_c =
! "$Header: kerberos.c,v 4.15 89/01/24 20:45:13 root Exp $";
#endif lint
#include <mit-copyright.h>
--- 11,17 ----
#ifndef lint
static char *rcsid_kerberos_c =
! "$Header: kerberos.c,v 4.16 89/03/14 19:54:36 jon Exp $";
#endif lint
#include <mit-copyright.h>
***************
*** 533,538 ****
--- 533,543 ----
ad->pname, ad->pinst, ad->prealm, inet_ntoa(client_host),
service, instance, 0);
+ if (strcmp(ad->prealm, tktrlm)) {
+ kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
+ "Can't hop realms");
+ return;
+ }
if (!strcmp(service, "changepw")) {
kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't authorize password changed based on TGT");