[3270] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

krb5-libs/1015: bug in accept_sec_context.c

daemon@ATHENA.MIT.EDU (ratliff@austin.ibm.com)
Wed Nov 14 18:49:06 2001

Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, ratliff@austin.ibm.com
Message-Id: <20011114234834.4156B82ADE@spiff.austin.ibm.com>
Date: Wed, 14 Nov 2001 17:48:34 -0600 (CST)
From: ratliff@austin.ibm.com
Reply-To: ratliff@austin.ibm.com
To: krb5-bugs@mit.edu
Cc: ratliff@austin.ibm.com


>Number:         1015
>Category:       krb5-libs
>Synopsis:       bug in TREAD_STR macro call in accept_sec_context.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Nov 14 18:49:01 EST 2001
>Last-Modified:
>Originator:     Emily Ratliff
>Organization:
IBM Linux Technology Center, Security
>Release:        krb5-current-20011110
>Environment:
	
System: Linux spiff.austin.ibm.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown
Architecture: i686

>Description:
	You have made several improvements to handling forwarded creds in
	krb5_gss_accept_sec_context() in accept_sec_context.c. One small
	problem remains. The call to the TREAD_STR macro sends bigend
	as the third parameter, but the third parameter should be the
	expected length of the string or option.length. 
	Also, in making your changes you separated the comment on line 485
	from the code that it is commenting on - that TREAD_STR macro call.
	I've included a patch to fix the buglet and move the comment back
	down to in front of the call to TREAD_STR.
	Thanks!
	Emily
>How-To-Repeat:
	
>Fix:

diff -ur src.orig/lib/gssapi/krb5/accept_sec_context.c src/lib/gssapi/krb5/accept_sec_context.c
--- src.orig/lib/gssapi/krb5/accept_sec_context.c	Wed Nov 14 17:07:03 2001
+++ src/lib/gssapi/krb5/accept_sec_context.c	Wed Nov 14 17:25:42 2001
@@ -482,16 +482,16 @@
 
 	       i -= 4;
 
-	       /* have to use ptr2, since option.data is wrong type and
-		  macro uses ptr as both lvalue and rvalue */
-
 	       if (i < option.length || option.length < 0) {
 		   code = KG_BAD_LENGTH;
 		   major_status = GSS_S_FAILURE;
 		   goto fail;
 	       }
 
-	       TREAD_STR(ptr, ptr2, bigend);
+	       /* have to use ptr2, since option.data is wrong type and
+		  macro uses ptr as both lvalue and rvalue */
+
+	       TREAD_STR(ptr, ptr2, option.length);
 	       option.data = (char *) ptr2;
 
 	       i -= option.length;
>Audit-Trail:
>Unformatted:
home help back first fref pref prev next nref lref last post