Love Hörnquist Åstrand
Sun, 18 Mar 2007 15:30:28 -0800
17 mar 2007 kl. 06.34 skrev Kevin Coffman:
Testing the latest CVS kinit against our MIT KDCs (1.4.3 and 1.6+) I ran into a couple of problems. The first error being reported was "Did not find a plugin for resolve". It turns out, this wasn't the real error, but it was the only one being reported. I patched lib/krb5/krbhost.c to clear the error message if a kdc is eventually found. This allowed the real error to be printed. It seems there is a general problem of getting the right error printed.
Yes, not all patch have enough krb5_clear_error_string() and when I've pushed more error strings deeper into the codepaths the problem occur. The problem when the second error code is generated.
The real problem was then revealed. I now got the message "ASN.1 invalid character in string". After a little digging, I found that the error packet returned by the MIT KDC has the string "NEEDED_PREAUTH\0" encoded with a length of 15. der_get_general_string() checks to see if the string contains a null and reports an error. In this case there is a null, but it the last character, which seems harmless. I'm sure more work could be done to eliminate the double null if desired. Also, I couldn't figure out what the initial length check was really trying to check. What is there seems useless.
You should send a bug report to the MIT people since I really think this is invalid generated data. That said, maybe the code should be slightly more liberal then it is now.The check that you can't figure out is for integer overflow in the malloc below it, maybe its a little to much paranoia, but I think its better to be concitant
and check for that anyway. Love