Kerberos referrals

Kevin Coffman kwc at citi.umich.edu
Wed Nov 9 16:20:55 EST 2005 

On 11/9/05, Mike Friedman <mikef at ack.berkeley.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 9 Nov 2005 at 15:36 (-0500), Kevin Coffman wrote:
>
> > Our patches are here: http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html
> >
> > The page will be updated soon with a patch for 1.4.2, but the 1.3.4
> > patch applied rather cleanly last night while doing the cvs merge to
> > 1.4.2.
>
> Kevin,
>
> I've been using your referrals patch for about 4 years now and last August
> I updated our KDC to 1.4.2.  So, I had to update the patch as well. Aside
> from line number changes, I found at least one place where a substantive
> (though very small) change was required.
>
> In krb5/src/lib/krb5/os/hst_realm.c, in the krbt_get_host_referral_realm
> function, I changed
>
>      char local_host[MAX_DNS_NAMELEN+1];
>
> to
>
>      char local_host[MAXDNAME];
>
> because, I believe (this is based on my memory now) MAX_DNS_NAMELEN was
> not defined in this module.  I figured that MAXDNAME was large enough to
> incorporate the size of MAX_DNS_NAMELEN+1, at least to avoid a buffer
> overflow condition.  Of course, I might be wrong and there may very well
> be a better way to handle this change.
>
> My 1.4.2 KDC has been running (continuously) since early September with no
> problems.
>
> I didn't sent you my patch updates because initially I was going to 1.4.1
> and I needed to incorporate MIT patches SA-2005-002 and SA-2005-003 that
> came out before 1.4.2 was released and which hit one of the modules that
> your patch does.  So I had to incorporate all 3 patches in that particular
> module (kdc/do_tgs_req.c, I believe).
>
> But then I decided to go with 1.4.2, so I guess my referrals patch stands
> on its own.  If you like, I can send it to you if you haven't already done
> your own update.
>
> Mike

Thanks Mike,
I remembered that one-line change after I sent my previous message.  I
made the same change (except from "MAX_DNS_NAMELEN+1" to
"MAXDNAME+1").

I have a script somewhere to generate the patch, so now that I've done
the merge it should be easy enough to generate a new patch.  But if
you have a clean referrals patch, it would be nice to compare.  We
have other local mods that I try to keep out of those patches.

K.C.

More information about the Kerberos mailing list