Potential bug using TCP for kinit to KDC communication

[Oli Mlist]

Hi,

I am experimenting kinit ticket requesting to KDC using TCP and see that
all attempts fall back to UDP. Looking at the code it seems there is a bug,
see below.

my setup:
- MIT Kerberos 1.10.1, built from source code and running this build
- kbr5.conf with udp_preference_limit=1
- kdc.conf with kdc_tcp_ports=88

Here is part of the flow in sendto_kdc.c:
- KDC hostname gets resolved (resolve_server()) and several connections are
attempted, first ones with TCP, and some UDP sockets are created too.
- each connection is attempted by a start_connection() call, they all
succeed.
- at the end of start_connection(), there is an ssflags local variable into
which the SSF_READ flag is being set (among others), and this state is
saved through cm_add_fd().
- for TCP sockets, the service_tcp_fd() function is called, running a state
machine.
- inside service_tcp_fd(), for the CONNECTING  state, a check is made for
the SSF_READ flag. If this flag is set, a comment tells the KDC is sending
data to us, which is interpreted as an error, so the TCP socket is
disconnected by the client. As seen above, this SSF_READ flag had been
explicitly set at the end of start_connection().
- consequently, all the TCP sockets are closed along the same scenario,
then Kerberos falls back to UDP sockets, which do succeed in contacting the
KDC.

So I think there is a bug there, either  start_connection() should not set
the SSF_READ flag by default, or service_tcp_fd() should't check
the SSF_READ during the CONNECTING phase and fall into error there.

Thanks to let me know if this is indeed a but or whether I am missing
something,

-- oli.