Bug in set/change password client library

Russ Allbery rra at stanford.edu
Wed May 4 23:08:22 EDT 2011

Hello folks,

There's a bug in the set/change password client library in at least
Kerberos 1.9 with the parsing of a reply from a server if the reply is
longer than 255 bytes.  In src/lib/krb5/krb/chpw.c around line 382, there
is code to parse the two-byte message length from the decrypted packet:

        ** validate the message length -
        ** length is big endian
        message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
        ptr += 2;
        ** make sure the message length and packet length agree -
        if (message_length != packet->length)

That first part was supposed to be ((ptr[0] & 0xff) << 8) instead.  It
looks like this bug has been there since the initial protocol contribution
for the set password protocol.  The version number and AP-REP parsing all
also have the same problem, but they're much less likely to be that long.

The result is that if the error reply is long enough to make the total
message length more than 255, an error of KRB5KRB_AP_ERR_MODIFIED is
always returned rather than the correct password change error.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the krbdev mailing list