[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] kadmind buffer overrun

To: Leif Johansson <leifj@matematik.su.se>
Subject: Re: [patch] kadmind buffer overrun
From: Assar Westerlund <assar@sics.se>
Date: 06 Jul 1999 02:36:45 +0200
Cc: heimdal-discuss@sics.se, suk5@matematik.su.se
In-Reply-To: Leif Johansson's message of "Tue, 15 Jun 1999 15:57:33 +0200"
References: <199906151357.PAA14096@trurl.matematik.su.se>
Sender: owner-heimdal-discuss@sics.se

Leif Johansson <leifj@matematik.su.se> writes:
> I recently reported what seemed like a bug in kadmin. I have since
> realised that it is not kadmin which dumps on be but rather it is
> kadmind. The bug is confounded further by not appearing on solaris7.

Thanks for your bug report and your patch.  It has been solved in a
very similar way in the current code.  I append the patch that we
applied.

/assar

Index: kadmin/server.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/kadmin/server.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -w -u -w -r1.15 -r1.16
--- server.c	1999/05/04 03:52:09	1.15
+++ server.c	1999/05/21 09:16:28	1.16
@@ -39,7 +39,7 @@
 #include "kadmin_locl.h"
 #include <krb5-private.h>
 
-RCSID("$Id: server.c,v 1.15 1999/05/04 03:52:09 assar Exp $");
+RCSID("$Id: server.c,v 1.16 1999/05/21 09:16:28 assar Exp $");
 
 static kadm5_ret_t
 kadmind_dispatch(void *kadm_handle, krb5_data *in, krb5_data *out)
@@ -387,18 +387,22 @@
 	  int fd)
 {
     krb5_error_code ret;
-    u_char tmp[4];
+    u_char version[sizeof(KRB5_SENDAUTH_VERSION)];
     krb5_ticket *ticket;
     krb5_principal server;
     char *client;
     void *kadm_handle;
 
-    krb5_net_read(context, &fd, tmp, len);
-    if(len != sizeof(KRB5_SENDAUTH_VERSION) || 
-       memcmp(tmp, KRB5_SENDAUTH_VERSION, len) != 0)
-	krb5_errx(context, 1, "bad sendauth version %.8s", tmp);
+    if (len != sizeof(KRB5_SENDAUTH_VERSION))
+	krb5_errx(context, 1, "bad sendauth len %d", len);
+    if(krb5_net_read(context, &fd, version, len) != len)
+	krb5_err (context, 1, errno, "reading sendauth version");
+    if(memcmp(version, KRB5_SENDAUTH_VERSION, len) != 0)
+	krb5_errx(context, 1, "bad sendauth version %.8s", version);
 	
-    krb5_parse_name(context, KADM5_ADMIN_SERVICE, &server);
+    ret = krb5_parse_name(context, KADM5_ADMIN_SERVICE, &server);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_parse_name %s", KADM5_ADMIN_SERVICE);
     ret = krb5_recvauth(context, &ac, &fd, KADMIN_APPL_VERSION, 
 			server, KRB5_RECVAUTH_IGNORE_VERSION, 
 			keytab, &ticket);
@@ -406,7 +410,9 @@
 	    
     if(ret)
 	krb5_err(context, 1, ret, "krb5_recvauth");
-    krb5_unparse_name(context, ticket->client, &client);
+    ret = krb5_unparse_name(context, ticket->client, &client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_unparse_name");
     ret = kadm5_init_with_password_ctx(context, 
 				       client, 
 				       NULL,

References:
- [patch] kadmind buffer overrun
  - From: Leif Johansson <leifj@matematik.su.se>

Prev by Date: Re: heimdal problems and solutions.
Next by Date: Re: heimdal 0.1g patch: hprop --kaspecials
Prev by thread: [patch] kadmind buffer overrun
Next by thread: heimdal 0.1g patch: hprop --kaspecials
Index(es):
- Date
- Thread