The branch, master has been updated
via b8ffb245964 third_party/heimdal: krb5: Try to decode e-data as
KERB-ERROR-DATA (falling back to METHOD-DATA) (Import
lorikeet-heimdal-202311092338 (commit 50996e5f0b0f22a4eb755a6f22cb7b4ecab2aeea))
from fb867873d87 netcmd: Disallow device‐specific attributes and
operators for allowed‐to‐authenticate‐from fields
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b8ffb24596452edb647d8df8b2ec608a607ebac4
Author: Joseph Sutton <[email protected]>
Date: Fri Nov 10 12:43:03 2023 +1300
third_party/heimdal: krb5: Try to decode e-data as KERB-ERROR-DATA (falling
back to METHOD-DATA) (Import lorikeet-heimdal-202311092338 (commit
50996e5f0b0f22a4eb755a6f22cb7b4ecab2aeea))
Previously we tried to decode KERB-ERROR-DATA as METHOD-DATA,
resulting in a confusing error message. Now we just ignore it; but we
could also choose to set an error message containing the NTSTATUS code
in hexadecimal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15514
Signed-off-by: Joseph Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Fri Nov 10 01:35:32 UTC 2023 on atb-devel-224
-----------------------------------------------------------------------
Summary of changes:
third_party/heimdal/lib/krb5/get_cred.c | 30 +++++++++++++++++-----
third_party/heimdal/lib/krb5/init_creds_pw.c | 37 ++++++++++++++++++++--------
2 files changed, 51 insertions(+), 16 deletions(-)
Changeset truncated at 500 lines:
diff --git a/third_party/heimdal/lib/krb5/get_cred.c
b/third_party/heimdal/lib/krb5/get_cred.c
index 6e48846bcb3..ff06325912b 100644
--- a/third_party/heimdal/lib/krb5/get_cred.c
+++ b/third_party/heimdal/lib/krb5/get_cred.c
@@ -719,13 +719,31 @@ get_cred_kdc(krb5_context context,
memset(&md, 0, sizeof(md));
if (rep.error.e_data) {
- ret = decode_METHOD_DATA(rep.error.e_data->data,
- rep.error.e_data->length,
- &md, NULL);
+ KERB_ERROR_DATA kerb_error_data;
+
+ memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+
+ /* First try to decode the e-data as KERB-ERROR-DATA. */
+ ret = decode_KERB_ERROR_DATA(rep.error.e_data->data,
+ rep.error.e_data->length,
+ &kerb_error_data,
+ &len);
if (ret) {
- krb5_set_error_message(context, ret,
- N_("Failed to decode METHOD-DATA", ""));
- goto out;
+ /* That failed, so try to decode it as METHOD-DATA. */
+ ret = decode_METHOD_DATA(rep.error.e_data->data,
+ rep.error.e_data->length,
+ &md, NULL);
+ if (ret) {
+ krb5_set_error_message(context, ret,
+ N_("Failed to decode METHOD-DATA",
""));
+ goto out;
+ }
+ } else if (len != rep.error.e_data->length) {
+ /* Trailing data — just ignore the error. */
+ free_KERB_ERROR_DATA(&kerb_error_data);
+ } else {
+ /* OK. */
+ free_KERB_ERROR_DATA(&kerb_error_data);
}
}
diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c
b/third_party/heimdal/lib/krb5/init_creds_pw.c
index 2c026ad29f2..8b6db0be594 100644
--- a/third_party/heimdal/lib/krb5/init_creds_pw.c
+++ b/third_party/heimdal/lib/krb5/init_creds_pw.c
@@ -3146,19 +3146,36 @@ init_creds_step(krb5_context context,
memset(&ctx->md, 0, sizeof(ctx->md));
if (ctx->error.e_data) {
+ KERB_ERROR_DATA kerb_error_data;
krb5_error_code ret2;
- ret2 = decode_METHOD_DATA(ctx->error.e_data->data,
- ctx->error.e_data->length,
- &ctx->md,
- NULL);
+ memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+
+ /* First try to decode the e-data as KERB-ERROR-DATA. */
+ ret2 = decode_KERB_ERROR_DATA(ctx->error.e_data->data,
+ ctx->error.e_data->length,
+ &kerb_error_data,
+ &len);
if (ret2) {
- /*
- * Just ignore any error, the error will be pushed
- * out from krb5_error_from_rd_error() if there
- * was one.
- */
- _krb5_debug(context, 5, N_("Failed to decode METHOD-DATA",
""));
+ /* That failed, so try to decode it as METHOD-DATA. */
+ ret2 = decode_METHOD_DATA(ctx->error.e_data->data,
+ ctx->error.e_data->length,
+ &ctx->md,
+ NULL);
+ if (ret2) {
+ /*
+ * Just ignore any error, the error will be pushed
+ * out from krb5_error_from_rd_error() if there
+ * was one.
+ */
+ _krb5_debug(context, 5, N_("Failed to decode
METHOD-DATA", ""));
+ }
+ } else if (len != ctx->error.e_data->length) {
+ /* Trailing data — just ignore the error. */
+ free_KERB_ERROR_DATA(&kerb_error_data);
+ } else {
+ /* OK. */
+ free_KERB_ERROR_DATA(&kerb_error_data);
}
}
--
Samba Shared Repository
