[1634] in Kerberos-V5-bugs
bug in Kerberos 5 B5 kadmind5 on IRIX 5.3
daemon@ATHENA.MIT.EDU (Chris Wilson)
Wed Sep 20 01:53:35 1995
Date: Tue, 19 Sep 95 22:53:23 PDT
From: Chris Wilson <cwilson@CS.Stanford.EDU>
To: krb5-bugs@MIT.EDU
There appears to be a bug in the configuration file parsing routines
used by kadmind5 that is triggered by a rather unusual fact about IRIX
5.3.
The symptom is that kadmind5 gives a syntax error while reading the
ACL file, no matter what is in the file.
The problem is in src/kadmin/v5server/srv_acl.c, in the acl_get_line()
function. This function does not properly handle the end-of-file
because on IRIX ``char'' is ``unsigned char''.
So on encountering the end-of-file, this loop
for (i=0;
((i<BUFSIZ) &&
(!feof(fp)) &&
((acl_buf[i] = fgetc(fp)) != '\n'));
i++);
will copy a (char)(-1) = 255 into acl_buf, then increment i, and only
on the next iteration break out of the loop.
Then there is a special-case check of ``acl_buf[0] = EOF'' (with the
comment ``/* ptooey */'' added). Unfortunately, it assumes that EOF
will actually fit unchanged into a char -- but, on IRIX, EOF is the
``int'' -1 while acl_buf is an array of unsigned chars, so the result
of this check is always false.
There also seems to be a minor problem in that the ``acl_buf[0] =
EOF'' check won't handle files that don't end with a line feed
gracefully.
Anyway, here's a patch that works for me.
--cut-here----cut-here----cut-here----cut-here----cut-here----cut-here--
*** srv_acl.c.orig Tue Sep 19 21:35:08 1995
--- srv_acl.c Tue Sep 19 22:35:44 1995
***************
*** 85,94 ****
for (domore = 1; domore && !feof(fp); ) {
/* Copy in the line */
for (i=0;
((i<BUFSIZ) &&
! (!feof(fp)) &&
! ((acl_buf[i] = fgetc(fp)) != '\n'));
i++);
acl_buf[i] = '\0';
--- 85,95 ----
for (domore = 1; domore && !feof(fp); ) {
/* Copy in the line */
+ int inchar;
for (i=0;
((i<BUFSIZ) &&
! ((acl_buf[i] = (inchar = fgetc(fp))) != '\n') &&
! (inchar != EOF));
i++);
acl_buf[i] = '\0';
***************
*** 97,105 ****
fprintf(stderr, acl_line2long_msg, acl_acl_file, *lnp);
while (fgetc(fp) != '\n');
}
! if (acl_buf[0] == EOF) /* ptooey */
! acl_buf[0] = '\0';
! else
(*lnp)++;
if ((acl_buf[0] != '#') && (acl_buf[0] != '\0'))
domore = 0;
--- 98,104 ----
fprintf(stderr, acl_line2long_msg, acl_acl_file, *lnp);
while (fgetc(fp) != '\n');
}
! if (!feof(fp))
(*lnp)++;
if ((acl_buf[0] != '#') && (acl_buf[0] != '\0'))
domore = 0;
--cut-here----cut-here----cut-here----cut-here----cut-here----cut-here--
--Chris
