[2774] in Kerberos-V5-bugs
krb5-kdc/461: Transitive cross-realm does not work
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu Aug 14 11:54:54 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, kenh@cmf.nrl.navy.mil
Date: Thu, 14 Aug 1997 11:46:19 -0400 (EDT)
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
>Number: 461
>Category: krb5-kdc
>Synopsis: Transitive cross-realm does not work
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Aug 14 11:47:01 EDT 1997
>Last-Modified:
>Originator: Ken Hornstein
>Organization:
Navel Research Laboratory
>Release: 1.0pl1
>Environment:
System: SunOS elvis 4.1.4 4 sun4c
Architecture: sun4
>Description:
The add_to_transitive function in the KDC does not work very well. It
allocates memory that never gets free'd, it does not copy over the
old transitive information, and it never clears out the new memory
allocated.
The result is that you end up with garbage in front of the realm
name.
>How-To-Repeat:
Try using transitive cross-realm.
>Fix:
Apply the following patch:
Index: kdc_util.c
diff -u -r1.2 kdc_util.c
--- kdc_util.c 1997/08/04 19:49:56 1.2
+++ kdc_util.c 1997/08/14 15:12:46
@@ -555,7 +555,7 @@
{
char *realm;
char *trans;
- char *otrans;
+ char *otrans, *otrans_ptr;
/* The following are for stepping through the transited field */
@@ -576,18 +576,25 @@
realm[krb5_princ_realm(kdc_context, tgs)->length] = '\0';
if (!(otrans = (char *) malloc(tgt_trans->length+1))) {
+ free(realm);
return(ENOMEM);
}
memcpy(otrans, tgt_trans->data, tgt_trans->length);
otrans[tgt_trans->length] = '\0';
+ otrans_ptr = otrans;
if (!(trans = (char *) malloc(strlen(realm) + strlen(otrans) + 1))) {
+ free(realm);
+ free(otrans_ptr);
return(ENOMEM);
}
if (new_trans->data) free(new_trans->data);
new_trans->data = trans;
+ memcpy(trans, otrans, tgt_trans->length);
+ trans[tgt_trans->length] = '\0';
+
/* For the purpose of appending, the realm preceding the first */
/* realm in the transited field is considered the null realm */
@@ -723,6 +730,9 @@
strcat(trans, realm);
new_trans->length = strlen(trans) + 1;
}
+
+ free(realm);
+ free(otrans_ptr);
return(0);
}
>Audit-Trail:
>Unformatted:
