krb5 commit: Err codes in KRB_ERROR protocol messages are < 128

Zhanna A Tsitkova tsitkova at MIT.EDU
Mon Sep 23 12:07:48 EDT 2013


https://github.com/krb5/krb5/commit/58ea3bdbfe6330225a2d58dfb00ccf1ad70617fe
commit 58ea3bdbfe6330225a2d58dfb00ccf1ad70617fe
Author: Zhanna Tsitkov <tsitkova at mit.edu>
Date:   Thu Sep 19 13:11:15 2013 -0400

    Err codes in KRB_ERROR protocol messages are < 128
    
    If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
    This fix is to correct the previous behavior with [0,128] range.
    For more information see  krb5_err.et

 src/include/k5-int.h                     |    1 +
 src/kadmin/server/schpw.c                |    2 +-
 src/kdc/do_as_req.c                      |    2 +-
 src/kdc/do_tgs_req.c                     |    2 +-
 src/lib/gssapi/krb5/accept_sec_context.c |    2 +-
 5 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index f84fbd8..d5814d9 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -381,6 +381,7 @@ typedef INT64_TYPE krb5_int64;
                                                       not find a KDC */
 #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE       86 /* The KDC did not respond
                                                       to the IAKERB proxy */
+#define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
 
 /*
  * A null-terminated array of this structure is returned by the KDC as
diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index 7f455d8..4a91159 100644
--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
@@ -365,7 +365,7 @@ chpwfail:
            to mk_error do. */
         krberror.error = ret;
         krberror.error -= ERROR_TABLE_BASE_krb5;
-        if (krberror.error < 0 || krberror.error > 128)
+        if (krberror.error < 0 || krberror.error > KRB_ERR_MAX)
             krberror.error = KRB_ERR_GENERIC;
 
         krberror.client = NULL;
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 11ba5a2..8790ec4 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -351,7 +351,7 @@ egress:
         }
         if (errcode != KRB5KDC_ERR_DISCARD) {
             errcode -= ERROR_TABLE_BASE_krb5;
-            if (errcode < 0 || errcode > 128)
+            if (errcode < 0 || errcode > KRB_ERR_MAX)
                 errcode = KRB_ERR_GENERIC;
 
             errcode = prepare_error_as(state->rstate, state->request,
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index f047dd8..ae5e757 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -776,7 +776,7 @@ cleanup:
             got_err = 1;
         }
         errcode -= ERROR_TABLE_BASE_krb5;
-        if (errcode < 0 || errcode > 128)
+        if (errcode < 0 || errcode > KRB_ERR_MAX)
             errcode = KRB_ERR_GENERIC;
 
         retval = prepare_error_tgs(state, request, header_ticket, errcode,
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 82bd013..9f9b6c6 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -1233,7 +1233,7 @@ fail:
         memset(&krb_error_data, 0, sizeof(krb_error_data));
 
         code -= ERROR_TABLE_BASE_krb5;
-        if (code < 0 || code > 128)
+        if (code < 0 || code > KRB_ERR_MAX)
             code = 60 /* KRB_ERR_GENERIC */;
 
         krb_error_data.error = code;


More information about the cvs-krb5 mailing list