[395] in Kerberos-V5-bugs
Bugs-O-Plenty (long)
daemon@ATHENA.MIT.EDU (Jim Miller)
Tue Dec 7 19:45:10 1993
From: jim@bilbo.suite.com (Jim Miller)
Date: Tue, 7 Dec 93 18:44:22 -0600
To: krb5-bugs@MIT.EDU
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
The following list of bugs is for Kerberos 5, pre-beta 3.
The majority of the bugs are not show-stoppers. Some are, though.
Jim_Miller@suite.com
------------------------
FORMAT
(file name)
routine/function name
- comment
----------------
(des/string2key.c)
mit_des_string_to_key
- doesn't free keyblock->contents if no memory for copystr
(kdc/fetch_mkey.c)
kdc_fetch_mkey
- doesn't free key->contents if error with fread
(kdc/dbm.c)
kdcm_db_init
- doesn't free filename if open errors
kdcm_db_rename
- doesn't free anything if error returned by kdcm_db_start_update
(krb/copy_tick.c)
krb5_copy_enc_tkt_part
- wrong error value returned if no memory for
tempto->transited.tr_contents.data
krb5_copy_ticket
- doesn't free 'tempto' if error returned by first krb5_copy_principal
(krb/gc_2tgt.c)
krb5_get_cred_via_2tgt
- doesn't free cred->addresses if error returned by krb5_copy_principal
- doesn't free cred->server if error returned by encode_krb5_ticket
- doesn't call krb5_finish_key if error returned by krb5_timeofday
(krb/get_in_tkt.c)
krb5_get_in_tkt
- doesn't free as_reply if error returned by krb5_copy_addresses
(krb/mk_priv.c)
krb5_mk_priv
- doesn't free 'scratch' correctly if realloc fails
- doesn't free 'privmsg_enc_part->r_address' or
'privmsg_enc_part->s_address' at all
(krb/rd_safe.c)
krb5_rd_safe
- doesn't free 'message' if invalid checksum type
(rcache/rc_dfl.c)
krb5_rc_io_fetch
- doesn't free memory if errors occur
(ccache/stdio/scc_sseq.c)
krb5_scc_start_seq_get
- returns KRB5_OK, even if there was an error in MAYBE_CLOSE
(ccache/stdio/scc_read.c)
krb5_scc_read_principal
- 'errout' code always returns CC_NOMEM, it should return 'kret'
(kdc/setup_mkey.c)
kdc_setup_mkey_name
- routine should construct full principal name and then call
krb5_parse_name instead of doing what it currently does
(admin/edit/dump.c)
load_db
- tests 'salt_len' when it should be testing 'alt_salt_len'
(admin/edit/kdc_edit.c)
enter_master_key
- should test 'valid_master_key' and then "finish" master key if true
set_dbname
- should clear 'valid_master_key' if 'dbactive' and 'valid_master_key'
(kdc/do_as_req.c)
check_padata
- returns 0 if can't extract Client Key/alt_key. Is this correct?
process_as_req
- is 'pwreq' variable still ncessary?
- doesn't do 'cleanup' if error returned by either kdc_get_principal call
- 'cleanup' gets called after return from krb5_encode_kdc_rep. 'cleanup'
frees cname and sname, yet cname and sname are still being used for
syslog messages.
- 'cname' and 'sname' gets freed twice (at end of 'process_as_req')
(kdc/kdc_util.c)
validate_tgs_request
- check for TGT proxie attempt should use TGTNAME macro
(kadmin/server/adm_process.c)
process_client
- the following 'if' check seems backwards:
if ((client_creds->enc_part2->times.authtime - adm_time) > 60*5) {
shouldn't it be:
if ((adm_time - client_creds->enc_part2->times.authtime) > 60*5) {
- doesn't free inbuf.data if error returned by final krb5_rd_priv
- doesn't free msg_data.data if error returned by final krb5_write_message
- doesn't do right thing if error returned by krb5_recvauth
- doesn't free server_entry contents upon success
- doesn't free cpw_key.key upon success
(kadmin/server/adm_adm_func.c)
adm_build_key
- not freeing msg_data if krb5_write_message returns with error
adm_change_pwd
- retval = 8; on err return from adm_enter_pwd_key is lost
adm_change_pwd_rnd
- wrong syslog message. it says remote add, should be random pswd change
adm_mod_old_key
- doesn't do kdc_free_principal(&entry, nprincs) after adm_princ_exists
- not freeing msg_data if krb5_write_message returns with error
- doesn't check retval on call to kdc_put_principal
adm_inq_old_key
- doesn't do kdc_free_principal(&entry, nprincs) after adm_princ_exists
- doesn't return when err in adm_fmt_prt
- not freeing msg_data if krb5_write_message returns with error
- not freeing outbuf !!
(kadmin/server/adm_kadmin.c)
adm5_kadmin
- not freeing msg_data if krb5_write_message returns with error
- frees completion_msg twice if go thru default OPER case
- frees completion_msg twice if go thru non-default retval case
- completion_msg in default retval case says "ksrvutil"
- not freeing msg_data if err in final reply
(kadmin/server/adm_fmt_inq.c)
adm_fmt_prt
- com_err string has wrong function name
- doesn't check return status on call to adm_print_exp_time
- doesn't check return status on call to adm_print_attributes
- shouldn't you check req_type before encrypting keys?
(kadmin/server/adm_funcs.c)
adm_modify_kdc
- if err when encrypting alt_key, need to wipe out entry->key, if exists
- if err when encrypting alt_key, need to free entry->key, if exists
- memset of entry (if new entry) uses sizeof(entry) should be
sizeof(*entry)
- memset of entry (if new entry) sets '&entry', should be 'entry'
- when you free entry->key.contents, should set .contents to zero so
kdc_free_principal doesn't try to also free it.
- when you free entry->alt_key.contents, should set .contents to zero so
kdc_free_principal doesn't try to also free it.
- if one != 0, it doesn't return correct err retval
adm_enter_pwd_key
- com_err message for norealm salt case should be changed
- com_err message for onlyrealm salt case should be changed
- com_err message for string_to_key says 'alt_key'
- tempkey.contents not being freed
- alttempkey not being freed
- salt.saltdata.data not being freed upon successful return
- altsalt.saltdata.data not being freed upon successful return
- sometimes salt.saltdata is zero, but routine still frees.
- memset of new_password uses sizeof(new_password). should be pwd.length
- entry->alt_key is being freed, but it was freed inside of adm_modify_kdc
adm5_change
- doesn't check return value of call to krb5_unparse_name
adm_enter_rnd_pwd_key
- doesn't check tempkey->contents before doing a memset. sometimes tempkey
is null.
- doesn't free tempkey->contents
- doesn't goto finish if error with krb5_unparse_name, just returns
(kadmin/server/adm_parse.c)
kadmin_parse_and_set
- what are the year, month, and day variables for?
- call to non-existant routine convert_tm_to_sec
(kadmin/server/adm_nego.c)
adm_negotiate_key
- doesn't return if no memory for
(*next_passwd_phrase_element)->phrase->data
(kadmin/server/adm_process.c)
cpw_keyproc
- always returns 0, even if there's an error
(kadmin/client/kadmin_done.c)
kadm_done
- doesn't free inbuf if an error in mk_priv
- doesn't free msg_data if an error in krb5_write_message
(kadmin/client/kadmin_cpw.c)
kadm_cpw
- doesn't free msg_data if an error in krb5_write_message
- returns a 0 if principal does not exist
- doesn't free msg_data on errors
(kadmin/client/kadmin_cpr.c)
kadm_cpr
- returns a 0 even if Principal does not exist
(kadmin/client/kadmin_del.c)
kadm_del
- doesn't free inbuf if an error in rd_priv
- returns a 0 even if Principal does not exist
(kadmin/client/kadmin_mod.c)
kadm_mod
- near end of routine, frees msg_data.dat, but continues to reference it.
