[1454] in Kerberos-V5-bugs
Kerberos5 Beta 4 bug in gss-sample
daemon@ATHENA.MIT.EDU (Mark Champine)
Tue Jun 6 16:58:55 1995
To: krb5-bugs@MIT.EDU
Date: Tue, 06 Jun 1995 16:58:45 -0400
From: Mark Champine <champine@apollo.hp.com>
Kerberos5 Beta 4: bug in krb5/src/appl/gss-sample:
When using DCE for key distribution, an unexpectedly large (>512
bytes)
token may be written to the socket by send_tok, and read by recv_tok.
In some situations, the entire token is not consumed with a single
read. The fix involves adding a loop to consume the entire token.
*** gss-misc.c.old Mon Jun 5 13:51:19 1995
--- gss-misc.c Mon Jun 5 13:50:23 1995
***************
*** 104,109 ****
--- 104,110 ----
int recv_token(int s, gss_buffer_t tok)
{
int ret;
+ int readsofar;
ret = read(s, (char *) &tok->length, 4);
if (ret < 0) {
***************
*** 122,138 ****
return -1;
}
! ret = read(s, (char *) tok->value, tok->length);
! if (ret < 0) {
! perror("reading token data");
! free(tok->value);
! return -1;
! } else if (ret != tok->length) {
! fprintf(stderr, "sending token data: %d of %d bytes written\n",
! ret, tok->length);
! free(tok->value);
! return -1;
! }
return 0;
}
--- 123,140 ----
return -1;
}
! readsofar = 0;
! do {
! ret = read(s, (char *) tok->value+readsofar, tok->
length-readsofar);
! fprintf(stderr, "reading token data: %d of %d bytes read\n",
! ret,tok->length-readsofar);
! readsofar += ret;
! if (ret < 0) {
! perror("reading token data");
! free(tok->value);
! return -1;
! }
! } while (readsofar < tok->length);
return 0;
}
