Bug in IsKerberosLogon ?

Pierre Goyette pierre.goyette at hummingbird.com
Tue May 2 09:40:22 EDT 2006 

In 2.6.5 and 3.0, there IsKerberosLogon function appears in two formats,
one which appears to be broken.
 
In several source files, the IsKerberosLogon function appears as:
 
IsKerberosLogon(VOID)
{
    PSECURITY_LOGON_SESSION_DATA pSessionData = NULL;
    BOOL    Success = FALSE;
 
    if ( GetSecurityLogonSessionData(&pSessionData) ) {
        if ( pSessionData->AuthenticationPackage.Buffer ) {
            WCHAR buffer[256];
            WCHAR *usBuffer;
            int usLength;
 
            Success = FALSE;
            usBuffer = (pSessionData->AuthenticationPackage).Buffer;
            usLength = (pSessionData->AuthenticationPackage).Length;
            if (usLength < 256)
            {
                lstrcpyn (buffer, usBuffer, usLength);
                lstrcat (buffer,L"");
                if ( !lstrcmp(L"Kerberos",buffer) )
                    Success = TRUE;
            }
        }
        LsaFreeReturnBuffer(pSessionData);
    }
    return Success;
}

However, in krb5funcs.c, the source appears as:
 
IsKerberosLogon(VOID)
{
    PSECURITY_LOGON_SESSION_DATA pSessionData = NULL;
    BOOL    Success = FALSE;
 
    if ( GetSecurityLogonSessionData(&pSessionData) ) {
        if ( pSessionData->AuthenticationPackage.Buffer ) {
            WCHAR buffer[256];
            WCHAR *usBuffer;
            int usLength;
 
            Success = FALSE;
            usBuffer = (pSessionData->AuthenticationPackage).Buffer;
            usLength = (pSessionData->AuthenticationPackage).Length;
            if (usLength < 256)
            {
                lstrcpynW (buffer, usBuffer, usLength);
                StringCbCatW (buffer, sizeof(buffer), L"");
                if ( !lstrcmpW(L"Kerberos",buffer) )
                    Success = TRUE;
            }
        }
        pLsaFreeReturnBuffer(pSessionData);
    }
    return Success;
}

The important difference is highlighted in red. The problem is that the
authentication package returned by LsaGetLogonSessionData returns an
LSA_UNICODE_STRING where the contents of the buffer is a wide-string.
 
But, in several instances, the code as highlighted in red, uses
single-byte functions which results in the string "K" being copied and
then compared to "Kerberos". 
 
Altough lstrcmp( "Kerberos", "K" ) will return 0, this could also return
0 if the string was another word starting with "K". 
 
Is this a bug which should be fixed?
 
Thanks,
 
Pierre

More information about the Kerberos mailing list