Re: problems with kinit against MIT KDC

[Love Hörnquist Åstrand <lha@kth.se>]

17 mar 2007 kl. 06.34 skrev Kevin Coffman:

> Testing the latest CVS kinit against our MIT KDCs (1.4.3 and 1.6+) I
> ran into a couple of problems.  The first error being reported was
> "Did not find a plugin for resolve".  It turns out, this wasn't the
> real error, but it was the only one being reported.
>
> I patched lib/krb5/krbhost.c to clear the error message if a kdc is
> eventually found.  This allowed the real error to be printed.  It
> seems there is a general problem of getting the right error printed.

Yes, not all patch have enough krb5_clear_error_string() and when
I've pushed more error strings deeper into the codepaths the problem
occur.

The problem when the second error code is generated.

> The real problem was then revealed.  I now got the message "ASN.1
> invalid character in string".  After a little digging, I found that
> the error packet returned by the MIT KDC has the string
> "NEEDED_PREAUTH\0" encoded with a length of 15.
> der_get_general_string() checks to see if the string contains a null
> and reports an error.  In this case there is a null, but it the last
> character, which seems harmless.  I'm sure more work could be done to
> eliminate the double null if desired.  Also, I couldn't figure out
> what the initial length check was really trying to check.  What is
> there seems useless.

You should send a bug report to the MIT people since I really think
this is invalid generated data. That said, maybe the code should be
slightly more liberal then it is now.

The check that you can't figure out is for integer overflow in the  
malloc below
it, maybe its a little to much paranoia, but I think its better to be  
concitant
and check for that anyway.

Love