krb5-libs/1057: Off by one error in lib/gssapi/krb5/init_sec_context.c

[Dan Riley]

>Number:         1057
>Category:       krb5-libs
>Synopsis:       krb5_gss_init_sec_context can miss requested enctypes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Fri Feb 22 13:05:00 EST 2002
>Last-Modified:
>Originator:     Dan Riley
>Organization:
LNS, Cornell U.
>Release:        krb5-1.2.3
>Environment:
System: SunOS solfa1.lns.cornell.edu 5.8 Generic_108528-13 sparc
Machine: sparc
>Description:
lib/gssapi/krb5/init_sec_context.c has an off-by-one error that
can result in an enctype being omitted from the list of
requested_enctypes if the uninitialized value one over the end
of the requested_enctypes array happens to match the value of
the corresponding default_enctypes entry.
>How-To-Repeat:
Compile krb5-1.2.3 on Solaris 8 with the Workshop 6 compiler;
kadmin will fail with the error

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

if the kdc only supports des-cbc-crc:normal and krb5.conf on the
client does not restrict the default tgs enctypes (this is probably
insufficient to repeat the error, since it depends on the values
of unitialized junk on the stack).
>Fix:
requested_enctypes is filled via

	  requested_enctypes[i++] = e;

so the appropriate test for scanning requested_enctypes is 'k < i',
not 'k <= i'--'k <= i' goes one past the end of the initialized values
of the array.

--- krb5-1.2.3/src/lib/gssapi/krb5/init_sec_context.c	Wed Jan  9 17:27:43 2002
+++ krb5/lib/gssapi/krb5/init_sec_context.c	Fri Feb 22 12:33:00 2002
@@ -488,10 +488,10 @@
 
 	  /* Is this enctype already in the list of enctypes to
 	     request?  */
-	  for (k = 0; k <= i; k++)
+	  for (k = 0; k < i; k++)
 	      if (requested_enctypes[k] == e)
 		  break;
-	  if (k <= i)
+	  if (k < i)
 	      continue;
 
 	  /* Add it.  */

>Audit-Trail:
>Unformatted: