See "The real problem ..." below. Love suggests
that this is an
encoding error on the MIT side (sending the terminating null
character
in the string). I looked a bit, but did not find whether
the Heimdal
code is correct in forbidding null characters in
generalstrings (even
as the last character).
It sounds like Love is going to relax the check in Heimdal,
but I
thought I should bring up the issue here.
K.C.
---------- Forwarded message ----------
From: Love Hörnquist Åstrand <lha kth.se>
Date: Mar 18, 2007 1:39 PM
Subject: Re: problems with kinit against MIT KDC
To: Kevin Coffman <kwcciti.umich.edu>
Cc: Heimdal-discuss list <heimdal-discusssics.se>
17 mar 2007 kl. 06.34 skrev Kevin Coffman:
> Testing the latest CVS kinit against our MIT KDCs
(1.4.3 and 1.6+) I
> ran into a couple of problems. The first error being
reported was
> "Did not find a plugin for resolve". It
turns out, this wasn't the
> real error, but it was the only one being reported.
>
> I patched lib/krb5/krbhost.c to clear the error message
if a kdc is
> eventually found. This allowed the real error to be
printed. It
> seems there is a general problem of getting the right
error printed.
Yes, not all patch have enough krb5_clear_error_string() and
when
I've pushed more error strings deeper into the codepaths the
problem
occur.
The problem when the second error code is generated.
> The real problem was then revealed. I now got the
message "ASN.1
> invalid character in string". After a little
digging, I found that
> the error packet returned by the MIT KDC has the
string
> "NEEDED_PREAUTH�" encoded with a length of
15.
> der_get_general_string() checks to see if the string
contains a null
> and reports an error. In this case there is a null,
but it the last
> character, which seems harmless. I'm sure more work
could be done to
> eliminate the double null if desired. Also, I couldn't
figure out
> what the initial length check was really trying to
check. What is
> there seems useless.
You should send a bug report to the MIT people since I
really think
this is invalid generated data. That said, maybe the code
should be
slightly more liberal then it is now.
The check that you can't figure out is for integer overflow
in the
malloc below
it, maybe its a little to much paranoia, but I think its
better to be
concitant
and check for that anyway.
Love
_______________________________________________
krbdev mailing list krbdevmit.edu
https
://mailman.mit.edu/mailman/listinfo/krbdev
|