[krbdev.mit.edu #5841] [Comment] GSSAPI Error Display Bug
Greg Hudson via RT
rt-comment at kerborg-prod-app-1.mit.edu
Fri Apr 11 13:57:22 EDT 2025
http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=5841
This is a comment. It is not sent to the Requestor(s):
This bug was never fixed in g_display_com_err_status(). However, I believe
all visible manifestations of it were fixed in 1.7. Details follow:
Commit fcdd2de143971b0f020531479ad18f57874aef30 changed
krb5_gss_display_status() to support extended error messages; in the process,
it stopped using g_display_com_err_status().
Commit abcfdaff756631d73f49103f679cafa7bc45f14e added the necessary cast to
the error_message() call in the replacement code.
g_display_com_err_status() is still used by the
mechglue's g_display_com_err_status() when the minor code mapping does not
contain a mech OID--meaning the code was generated by the mechglue, not by a
mech. So, for this bug to remain visible, the mechglue would have to generate
a com_err code within the negative range. System errors like ENOMEM are
positive, so wouldn't manifest the bug.
Since the mechglue sometimes delegates to functions in lib/gssapi/generic,
codes in gssapi_err_generic.et are a concern, as that table is within the
negative range. Currently, it looks like none of those codes are currently
generated outside of a mech.
I will add the cast as suggested, with a commit message note that it doesn't
change anything in practice.
More information about the krb5-bugs
mailing list