[2993] in Kerberos-V5-bugs
krb5-clients/655: Windows credentials manager doesn't display password changing errors correctrly
daemon@ATHENA.MIT.EDU (vwelch@ncsa.uiuc.edu)
Fri Nov 6 12:15:56 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, vwelch@ncsa.uiuc.edu
Date: Fri, 6 Nov 1998 11:05:26 -0600
From: vwelch@ncsa.uiuc.edu
Reply-To: vwelch@ncsa.uiuc.edu
To: krb5-bugs@MIT.EDU
Cc: vwelch@ncsa.uiuc.edu
>Number: 655
>Category: krb5-clients
>Synopsis: Windows credentials manager doesn't display password changing errors correctrly
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Nov 06 12:06:00 EST 1998
>Last-Modified:
>Originator:
>Organization:
------------------------------------------------------------------------
Von Welch Senior Network Engineer vwelch@ncsa.uiuc.edu
National Center for Supercomputing Applications
------------------------------------------------------------------------
>Release: NT-ALPHA-2 Snapshot
>Environment:
Windows NT/95
Architecture: i686
>Description:
There is a bug in the code that causes the error message from
the server not to be displayed to the user.
>How-To-Repeat:
Try using krb5.exe to change your password and for the new password
give it a password that is unacceptable to the server for whatever
reason (e.g. too short, not enough classes). Notice
the not too helpful error message that comes back.
>Fix:
The code tries to checks the length of the reply against the length of
the buffer to prevent an overflow, but it checks using the wrong
variable so it always thinks there is an overflow and never displays
any reply. See attached diff.
Index: kpasswd.c
===================================================================
RCS file: /afs/ncsa/src/kerberos/cvsroot/krb5-win/windows/cns/kpasswd.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 kpasswd.c
*** kpasswd.c 1997/10/21 16:05:27 1.1.1.1
--- kpasswd.c 1998/11/06 16:55:23
***************
*** 61,67 ****
*ptr++ = '\n';
n = reply[i].length; /* Easier to work with */
! if (ptr + n + 2 >= errbuf) /* Check for overflow */
break;
memcpy (ptr, reply[i].data, n); /* Add the message */
ptr += n; /* Point to the end */
--- 61,67 ----
*ptr++ = '\n';
n = reply[i].length; /* Easier to work with */
! if (ptr + n + 2 >= end) /* Check for overflow */
break;
memcpy (ptr, reply[i].data, n); /* Add the message */
ptr += n; /* Point to the end */
>Audit-Trail:
>Unformatted:
