Bug in set/change password client library
Jeffrey Altman
jaltman at secure-endpoints.com
Thu May 5 00:15:00 EDT 2011
On 5/4/2011 11:08 PM, Russ Allbery wrote:
> Hello folks,
>
> There's a bug in the set/change password client library in at least
> Kerberos 1.9 with the parsing of a reply from a server if the reply is
> longer than 255 bytes. In src/lib/krb5/krb/chpw.c around line 382, there
> is code to parse the two-byte message length from the decrypted packet:
>
> /*
> ** validate the message length -
> ** length is big endian
> */
> message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
> ptr += 2;
> /*
> ** make sure the message length and packet length agree -
> */
> if (message_length != packet->length)
> return(KRB5KRB_AP_ERR_MODIFIED);
>
> That first part was supposed to be ((ptr[0] & 0xff) << 8) instead. It
> looks like this bug has been there since the initial protocol contribution
> for the set password protocol. The version number and AP-REP parsing all
> also have the same problem, but they're much less likely to be that long.
>
> The result is that if the error reply is long enough to make the total
> message length more than 255, an error of KRB5KRB_AP_ERR_MODIFIED is
> always returned rather than the correct password change error.
The error is not just on that line. The error is repeated for
meesage_length, version_number, ap_rep.length, and *result_code within
krb5int_rd_setpw_rep().
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20110505/dc21f856/attachment.bin
More information about the krbdev
mailing list