[16795] in Kerberos_V5_Development
Re: Bug in set/change password client library
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu May 5 00:15:33 2011
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: krbdev@mit.edu
Message-ID: <4DC22444.2070204@secure-endpoints.com>
Date: Thu, 05 May 2011 00:15:00 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: krbdev@mit.edu
In-Reply-To: <8739ktg7yx.fsf@windlord.stanford.edu>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============0320291886=="
Errors-To: krbdev-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0320291886==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig561C4BA7840B4D74EBB20489"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig561C4BA7840B4D74EBB20489
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 5/4/2011 11:08 PM, Russ Allbery wrote:
> Hello folks,
>=20
> There's a bug in the set/change password client library in at least
> Kerberos 1.9 with the parsing of a reply from a server if the reply is
> longer than 255 bytes. In src/lib/krb5/krb/chpw.c around line 382, the=
re
> is code to parse the two-byte message length from the decrypted packet:=
>=20
> /*
> ** validate the message length -
> ** length is big endian
> */
> message_length =3D (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
> ptr +=3D 2;
> /*
> ** make sure the message length and packet length agree -
> */
> if (message_length !=3D packet->length)
> return(KRB5KRB_AP_ERR_MODIFIED);
>=20
> That first part was supposed to be ((ptr[0] & 0xff) << 8) instead. It
> looks like this bug has been there since the initial protocol contribut=
ion
> for the set password protocol. The version number and AP-REP parsing a=
ll
> also have the same problem, but they're much less likely to be that lon=
g.
>=20
> The result is that if the error reply is long enough to make the total
> message length more than 255, an error of KRB5KRB_AP_ERR_MODIFIED is
> always returned rather than the correct password change error.
The error is not just on that line. The error is repeated for
meesage_length, version_number, ap_rep.length, and *result_code within
krb5int_rd_setpw_rep().
Jeffrey Altman
--------------enig561C4BA7840B4D74EBB20489
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJNwiRFAAoJENxm1CNJffh4jEsH+wSvi9iB+711kRWUJL6l7in0
wUUFoy7HvOhxhYlhKOXsDd63CrQnWPtTGQ3MFgWu6/BmOOaD7BIJhbHIda1kb8Ej
7IM8Y07prl/W7qLcRBYzyG1CqKBgkkeRSP2fMcV/3iw0IyDNQA2D4ScQMN53/dmN
O+a5Ms0NHGbE9hDLIpmXdL8hQAnUfx2d4nyJJQmdkX6PhFuYGlSCn1gBgAxWSozK
zVBXRt5yh6CNuLJ0td3kMAn5kuhPVJPp6ULXFOMR9ZRHFUkcRDePjFdHma51nYTk
27MRUSSLluBulokOZps5iGI8NM1v1pyuqp/k7bqS+f1dwoKwHd8F+6Vo33urk0U=
=FBxp
-----END PGP SIGNATURE-----
--------------enig561C4BA7840B4D74EBB20489--
--===============0320291886==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============0320291886==--
