[16794] in Kerberos_V5_Development
Bug in set/change password client library
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed May 4 23:08:26 2011
From: Russ Allbery <rra@stanford.edu>
To: krbdev@mit.edu
Date: Wed, 04 May 2011 20:08:22 -0700
Message-ID: <8739ktg7yx.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hello folks,
There's a bug in the set/change password client library in at least
Kerberos 1.9 with the parsing of a reply from a server if the reply is
longer than 255 bytes. In src/lib/krb5/krb/chpw.c around line 382, there
is code to parse the two-byte message length from the decrypted packet:
/*
** validate the message length -
** length is big endian
*/
message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
ptr += 2;
/*
** make sure the message length and packet length agree -
*/
if (message_length != packet->length)
return(KRB5KRB_AP_ERR_MODIFIED);
That first part was supposed to be ((ptr[0] & 0xff) << 8) instead. It
looks like this bug has been there since the initial protocol contribution
for the set password protocol. The version number and AP-REP parsing all
also have the same problem, but they're much less likely to be that long.
The result is that if the error reply is long enough to make the total
message length more than 255, an error of KRB5KRB_AP_ERR_MODIFIED is
always returned rather than the correct password change error.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
