[krbdev.mit.edu #8054] spurious "Communication failure" from kadmind with certain policy values
Tom Yu via RT
rt-comment at krbdev.mit.edu
Fri Dec 26 17:20:19 EST 2014
Marc Richter observed the error
'get_policy: Communication failure with server while retrieving policy "admin"'
when attempting to retrieve a policy with a pw_max_life value that is greater than 2**31 but
less than 2**32. The libkadm5 RPCs use xdr_long() instead of xdr_uint32() in a few places for
because the relevant fields in the kadm5_policy_ent_rec structure are declared as long.
xdr_long() is only supposed to work for signed 32-bit integer values, so on a 64-bit platform,
the C long type can represent values that are outside of this range, causing xdr_long() to fail
on the server.
libkadm5 should probably either reject such problematic values, or clamp them to reasonable
bounds. There might also need to be handling of existing databases containing the
problematic values.
Further background information at
http://mailman.mit.edu/pipermail/kerberos/2014-December/020408.html
More information about the krb5-bugs
mailing list