aboutsummaryrefslogtreecommitdiff
path: root/network/krb5/patches
diff options
context:
space:
mode:
authorTom Canich <tcanich@canich.net>2010-05-12 23:32:21 +0200
committerDavid Somero <xgizzmo@slackbuilds.org>2010-05-12 23:32:21 +0200
commit8631a96ddfe028076b77b0cdd84244faa78eca6b (patch)
tree68ea76f364c6454feae0de6f9d81338c79d013dd /network/krb5/patches
parent43858c38016b71d1112b70f70a4c37755140af55 (diff)
network/krb5: Added to 12.2 repository
Diffstat (limited to 'network/krb5/patches')
-rw-r--r--network/krb5/patches/2008-001-patch.txt337
-rw-r--r--network/krb5/patches/2008-002-patch.txt72
-rw-r--r--network/krb5/patches/2009-001-patch.txt187
-rw-r--r--network/krb5/patches/2009-002-patch.txt35
4 files changed, 631 insertions, 0 deletions
diff --git a/network/krb5/patches/2008-001-patch.txt b/network/krb5/patches/2008-001-patch.txt
new file mode 100644
index 0000000000000..b26b9fddcf90d
--- /dev/null
+++ b/network/krb5/patches/2008-001-patch.txt
@@ -0,0 +1,337 @@
+Index: src/kdc/dispatch.c
+===================================================================
+--- src/kdc/dispatch.c (revision 20192)
++++ src/kdc/dispatch.c (working copy)
+@@ -1,7 +1,7 @@
+ /*
+ * kdc/dispatch.c
+ *
+- * Copyright 1990 by the Massachusetts Institute of Technology.
++ * Copyright 1990, 2007 by the Massachusetts Institute of Technology.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+@@ -107,7 +107,7 @@
+ retval = KRB5KRB_AP_ERR_MSG_TYPE;
+ #ifndef NOCACHE
+ /* put the response into the lookaside buffer */
+- if (!retval)
++ if (!retval && *response != NULL)
+ kdc_insert_lookaside(pkt, *response);
+ #endif
+
+Index: src/kdc/kerberos_v4.c
+===================================================================
+--- src/kdc/kerberos_v4.c (revision 20192)
++++ src/kdc/kerberos_v4.c (working copy)
+@@ -1,7 +1,7 @@
+ /*
+ * kdc/kerberos_v4.c
+ *
+- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute
++ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+@@ -87,11 +87,6 @@
+ #define MSB_FIRST 0 /* 68000, IBM RT/PC */
+ #define LSB_FIRST 1 /* Vax, PC8086 */
+
+-int f;
+-
+-/* XXX several files in libkdb know about this */
+-char *progname;
+-
+ #ifndef BACKWARD_COMPAT
+ static Key_schedule master_key_schedule;
+ static C_Block master_key;
+@@ -143,10 +138,8 @@
+ #include "com_err.h"
+ #include "extern.h" /* to pick up master_princ */
+
+-static krb5_data *response;
+-
+-void kerberos_v4 (struct sockaddr_in *, KTEXT);
+-void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
++static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT);
++static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
+ static int set_tgtkey (char *, krb5_kvno, krb5_boolean);
+
+ /* Attributes converted from V5 to V4 - internal representation */
+@@ -262,12 +255,12 @@
+ (void) klog(L_KRB_PERR, "V4 request too long.");
+ return KRB5KRB_ERR_FIELD_TOOLONG;
+ }
++ memset( &v4_pkt, 0, sizeof(v4_pkt));
+ v4_pkt.length = pkt->length;
+ v4_pkt.mbz = 0;
+ memcpy( v4_pkt.dat, pkt->data, pkt->length);
+
+- kerberos_v4( &client_sockaddr, &v4_pkt);
+- *resp = response;
++ *resp = kerberos_v4( &client_sockaddr, &v4_pkt);
+ return(retval);
+ }
+
+@@ -300,19 +293,20 @@
+ }
+
+ static
+-int krb4_sendto(int s, const char *msg, int len, int flags,
+- const struct sockaddr *to, int to_len)
++krb5_data *make_response(const char *msg, int len)
+ {
++ krb5_data *response;
++
+ if ( !(response = (krb5_data *) malloc( sizeof *response))) {
+- return ENOMEM;
++ return 0;
+ }
+ if ( !(response->data = (char *) malloc( len))) {
+ krb5_free_data(kdc_context, response);
+- return ENOMEM;
++ return 0;
+ }
+ response->length = len;
+ memcpy( response->data, msg, len);
+- return( 0);
++ return response;
+ }
+ static void
+ hang(void)
+@@ -586,7 +580,7 @@
+ *cp = 0;
+ }
+
+-void
++static krb5_data *
+ kerberos_v4(struct sockaddr_in *client, KTEXT pkt)
+ {
+ static KTEXT_ST rpkt_st;
+@@ -599,8 +593,8 @@
+ KTEXT auth = &auth_st;
+ AUTH_DAT ad_st;
+ AUTH_DAT *ad = &ad_st;
++ krb5_data *response = 0;
+
+-
+ static struct in_addr client_host;
+ static int msg_byte_order;
+ static int swap_bytes;
+@@ -637,8 +631,7 @@
+ inet_ntoa(client_host));
+ /* send an error reply */
+ req_name_ptr = req_inst_ptr = req_realm_ptr = "";
+- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
+- return;
++ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
+ }
+
+ /* check packet version */
+@@ -648,8 +641,7 @@
+ KRB_PROT_VERSION, req_version, 0);
+ /* send an error reply */
+ req_name_ptr = req_inst_ptr = req_realm_ptr = "";
+- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
+- return;
++ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
+ }
+ msg_byte_order = req_msg_type & 1;
+
+@@ -707,10 +699,10 @@
+
+ if ((i = check_princ(req_name_ptr, req_inst_ptr, 0,
+ &a_name_data, &k5key, 0, &ck5life))) {
+- kerb_err_reply(client, pkt, i, "check_princ failed");
++ response = kerb_err_reply(client, pkt, i, "check_princ failed");
+ a_name_data.key_low = a_name_data.key_high = 0;
+ krb5_free_keyblock_contents(kdc_context, &k5key);
+- return;
++ return response;
+ }
+ /* don't use k5key for client */
+ krb5_free_keyblock_contents(kdc_context, &k5key);
+@@ -722,11 +714,11 @@
+ /* this does all the checking */
+ if ((i = check_princ(service, instance, lifetime,
+ &s_name_data, &k5key, 1, &sk5life))) {
+- kerb_err_reply(client, pkt, i, "check_princ failed");
++ response = kerb_err_reply(client, pkt, i, "check_princ failed");
+ a_name_data.key_high = a_name_data.key_low = 0;
+ s_name_data.key_high = s_name_data.key_low = 0;
+ krb5_free_keyblock_contents(kdc_context, &k5key);
+- return;
++ return response;
+ }
+ /* Bound requested lifetime with service and user */
+ v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
+@@ -797,8 +789,7 @@
+ rpkt = create_auth_reply(req_name_ptr, req_inst_ptr,
+ req_realm_ptr, req_time_ws, 0, a_name_data.exp_date,
+ a_name_data.key_version, ciph);
+- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
+- (struct sockaddr *) client, sizeof (struct sockaddr_in));
++ response = make_response((char *) rpkt->dat, rpkt->length);
+ memset(&a_name_data, 0, sizeof(a_name_data));
+ memset(&s_name_data, 0, sizeof(s_name_data));
+ break;
+@@ -824,9 +815,8 @@
+ lt = klog(L_KRB_PERR,
+ "APPL request with realm length too long from %s",
+ inet_ntoa(client_host));
+- kerb_err_reply(client, pkt, RD_AP_INCON,
+- "realm length too long");
+- return;
++ return kerb_err_reply(client, pkt, RD_AP_INCON,
++ "realm length too long");
+ }
+
+ auth->length += (int) *(pkt->dat + auth->length) +
+@@ -835,9 +825,8 @@
+ lt = klog(L_KRB_PERR,
+ "APPL request with funky tkt or req_id length from %s",
+ inet_ntoa(client_host));
+- kerb_err_reply(client, pkt, RD_AP_INCON,
+- "funky tkt or req_id length");
+- return;
++ return kerb_err_reply(client, pkt, RD_AP_INCON,
++ "funky tkt or req_id length");
+ }
+
+ memcpy(auth->dat, pkt->dat, auth->length);
+@@ -848,18 +837,16 @@
+ if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {
+ lt = klog(L_ERR_UNK,
+ "Cross realm ticket from %s denied by policy,", tktrlm);
+- kerb_err_reply(client, pkt,
+- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+- return;
++ return kerb_err_reply(client, pkt,
++ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ }
+ if (set_tgtkey(tktrlm, kvno, 0)) {
+- lt = klog(L_ERR_UNK,
++ lt = klog(L_ERR_UNK,
+ "FAILED set_tgtkey realm %s, kvno %d. Host: %s ",
+ tktrlm, kvno, inet_ntoa(client_host));
+ /* no better error code */
+- kerb_err_reply(client, pkt,
+- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+- return;
++ return kerb_err_reply(client, pkt,
++ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ }
+ kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
+ ad, 0);
+@@ -869,9 +856,8 @@
+ "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",
+ tktrlm, kvno, inet_ntoa(client_host));
+ /* no better error code */
+- kerb_err_reply(client, pkt,
+- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+- return;
++ return kerb_err_reply(client, pkt,
++ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ }
+ kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
+ ad, 0);
+@@ -881,8 +867,7 @@
+ klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
+ inet_ntoa(client_host), krb_get_err_text(kerno));
+ req_name_ptr = req_inst_ptr = req_realm_ptr = "";
+- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
+- return;
++ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
+ }
+ ptr = (char *) pkt->dat + auth->length;
+
+@@ -904,22 +889,21 @@
+ req_realm_ptr = ad->prealm;
+
+ if (strcmp(ad->prealm, tktrlm)) {
+- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
+- "Can't hop realms");
+- return;
++ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
++ "Can't hop realms");
+ }
+ if (!strcmp(service, "changepw")) {
+- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
+- "Can't authorize password changed based on TGT");
+- return;
++ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
++ "Can't authorize password changed based on TGT");
+ }
+ kerno = check_princ(service, instance, req_life,
+ &s_name_data, &k5key, 1, &sk5life);
+ if (kerno) {
+- kerb_err_reply(client, pkt, kerno, "check_princ failed");
++ response = kerb_err_reply(client, pkt, kerno,
++ "check_princ failed");
+ s_name_data.key_high = s_name_data.key_low = 0;
+ krb5_free_keyblock_contents(kdc_context, &k5key);
+- return;
++ return response;
+ }
+ /* Bound requested lifetime with service and user */
+ v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);
+@@ -975,8 +959,7 @@
+ rpkt = create_auth_reply(ad->pname, ad->pinst,
+ ad->prealm, time_ws,
+ 0, 0, 0, ciph);
+- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
+- (struct sockaddr *) client, sizeof (struct sockaddr_in));
++ response = make_response((char *) rpkt->dat, rpkt->length);
+ memset(&s_name_data, 0, sizeof(s_name_data));
+ break;
+ }
+@@ -1001,6 +984,7 @@
+ break;
+ }
+ }
++ return response;
+ }
+
+
+@@ -1010,7 +994,7 @@
+ * client.
+ */
+
+-void
++static krb5_data *
+ kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string)
+ {
+ static KTEXT_ST e_pkt_st;
+@@ -1021,9 +1005,7 @@
+ strncat(e_msg, string, sizeof(e_msg) - 1 - 19);
+ cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
+ req_time_ws, err, e_msg);
+- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0,
+- (struct sockaddr *) client, sizeof (struct sockaddr_in));
+-
++ return make_response((char *) e_pkt->dat, e_pkt->length);
+ }
+
+ static int
+Index: src/kdc/network.c
+===================================================================
+--- src/kdc/network.c (revision 20192)
++++ src/kdc/network.c (working copy)
+@@ -1,7 +1,7 @@
+ /*
+ * kdc/network.c
+ *
+- * Copyright 1990,2000 by the Massachusetts Institute of Technology.
++ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+@@ -747,6 +747,8 @@
+ com_err(prog, retval, "while dispatching (udp)");
+ return;
+ }
++ if (response == NULL)
++ return;
+ cc = sendto(port_fd, response->data, (socklen_t) response->length, 0,
+ (struct sockaddr *)&saddr, saddr_len);
+ if (cc == -1) {
diff --git a/network/krb5/patches/2008-002-patch.txt b/network/krb5/patches/2008-002-patch.txt
new file mode 100644
index 0000000000000..b2bb46b651160
--- /dev/null
+++ b/network/krb5/patches/2008-002-patch.txt
@@ -0,0 +1,72 @@
+--- src/lib/rpc/svc.c (revision 1666)
++++ src/lib/rpc/svc.c (local)
+@@ -109,15 +109,17 @@
+ if (sock < FD_SETSIZE) {
+ xports[sock] = xprt;
+ FD_SET(sock, &svc_fdset);
++ if (sock > svc_maxfd)
++ svc_maxfd = sock;
+ }
+ #else
+ if (sock < NOFILE) {
+ xports[sock] = xprt;
+ svc_fds |= (1 << sock);
++ if (sock > svc_maxfd)
++ svc_maxfd = sock;
+ }
+ #endif /* def FD_SETSIZE */
+- if (sock > svc_maxfd)
+- svc_maxfd = sock;
+ }
+
+ /*
+
+--- src/lib/rpc/svc_tcp.c (revision 1666)
++++ src/lib/rpc/svc_tcp.c (local)
+@@ -54,6 +54,14 @@
+ extern errno;
+ */
+
++#ifndef FD_SETSIZE
++#ifdef NBBY
++#define NOFILE (sizeof(int) * NBBY)
++#else
++#define NOFILE (sizeof(int) * 8)
++#endif
++#endif
++
+ /*
+ * Ops vector for TCP/IP based rpc service handle
+ */
+@@ -215,6 +223,19 @@
+ register SVCXPRT *xprt;
+ register struct tcp_conn *cd;
+
++#ifdef FD_SETSIZE
++ if (fd >= FD_SETSIZE) {
++ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
++ xprt = NULL;
++ goto done;
++ }
++#else
++ if (fd >= NOFILE) {
++ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
++ xprt = NULL;
++ goto done;
++ }
++#endif
+ xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT));
+ if (xprt == (SVCXPRT *)NULL) {
+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n");
+@@ -271,6 +292,10 @@
+ * make a new transporter (re-uses xprt)
+ */
+ xprt = makefd_xprt(sock, r->sendsize, r->recvsize);
++ if (xprt == NULL) {
++ close(sock);
++ return (FALSE);
++ }
+ xprt->xp_raddr = addr;
+ xprt->xp_addrlen = len;
+ xprt->xp_laddr = laddr;
+
diff --git a/network/krb5/patches/2009-001-patch.txt b/network/krb5/patches/2009-001-patch.txt
new file mode 100644
index 0000000000000..7485169ae42ef
--- /dev/null
+++ b/network/krb5/patches/2009-001-patch.txt
@@ -0,0 +1,187 @@
+--- src/lib/gssapi/spnego/spnego_mech.c
++++ src/lib/gssapi/spnego/spnego_mech.c
+@@ -54,8 +54,8 @@ typedef const gss_OID_desc *gss_OID_const;
+
+ /* der routines defined in libgss */
+ extern unsigned int gssint_der_length_size(OM_uint32);
+-extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*);
+-extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32);
++extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*);
++extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int);
+
+
+ /* private routines for spnego_mechanism */
+@@ -1249,7 +1249,8 @@ spnego_gss_accept_sec_context(void *ct,
+ }
+ cleanup:
+ if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
+- tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech,
++ tmpret = make_spnego_tokenTarg_msg(negState,
++ sc ? sc->internal_mech : GSS_C_NO_OID,
+ &mechtok_out, mic_out,
+ return_token,
+ output_token);
+@@ -1802,22 +1803,16 @@ static gss_buffer_t
+ get_input_token(unsigned char **buff_in, unsigned int buff_length)
+ {
+ gss_buffer_t input_token;
+- unsigned int bytes;
++ unsigned int len;
+
+- if (**buff_in != OCTET_STRING)
++ if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0)
+ return (NULL);
+
+- (*buff_in)++;
+ input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc));
+-
+ if (input_token == NULL)
+ return (NULL);
+
+- input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes);
+- if ((int)input_token->length == -1) {
+- free(input_token);
+- return (NULL);
+- }
++ input_token->length = len;
+ input_token->value = malloc(input_token->length);
+
+ if (input_token->value == NULL) {
+@@ -1869,8 +1864,8 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
+ {
+ gss_OID_set returned_mechSet;
+ OM_uint32 major_status;
+- OM_uint32 length;
+- OM_uint32 bytes;
++ int length;
++ unsigned int bytes;
+ OM_uint32 set_length;
+ unsigned char *start;
+ int i;
+@@ -1882,22 +1877,25 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
+ (*buff_in)++;
+
+ length = gssint_get_der_length(buff_in, buff_length, &bytes);
++ if (length < 0 || buff_length - bytes < (unsigned int)length)
++ return NULL;
+
+ major_status = gss_create_empty_oid_set(minor_status,
+ &returned_mechSet);
+ if (major_status != GSS_S_COMPLETE)
+ return (NULL);
+
+- for (set_length = 0, i = 0; set_length < length; i++) {
++ for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) {
+ gss_OID_desc *temp = get_mech_oid(minor_status, buff_in,
+ buff_length - (*buff_in - start));
+- if (temp != NULL) {
+- major_status = gss_add_oid_set_member(minor_status,
+- temp, &returned_mechSet);
+- if (major_status == GSS_S_COMPLETE) {
++ if (temp == NULL)
++ break;
++
++ major_status = gss_add_oid_set_member(minor_status,
++ temp, &returned_mechSet);
++ if (major_status == GSS_S_COMPLETE) {
+ set_length += returned_mechSet->elements[i].length +2;
+ generic_gss_release_oid(minor_status, &temp);
+- }
+ }
+ }
+
+@@ -2097,7 +2095,7 @@ get_negTokenResp(OM_uint32 *minor_status,
+ return GSS_S_DEFECTIVE_TOKEN;
+ if (*ptr++ == SEQUENCE) {
+ tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
+- if (tmplen < 0)
++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+ if (REMAIN < 1)
+@@ -2107,7 +2105,7 @@ get_negTokenResp(OM_uint32 *minor_status,
+
+ if (tag == CONTEXT) {
+ tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
+- if (tmplen < 0)
++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
+ return GSS_S_DEFECTIVE_TOKEN;
+
+ if (g_get_tag_and_length(&ptr, ENUMERATED,
+@@ -2128,7 +2126,7 @@ get_negTokenResp(OM_uint32 *minor_status,
+ }
+ if (tag == (CONTEXT | 0x01)) {
+ tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
+- if (tmplen < 0)
++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
+ return GSS_S_DEFECTIVE_TOKEN;
+
+ *supportedMech = get_mech_oid(minor_status, &ptr, REMAIN);
+@@ -2142,7 +2140,7 @@ get_negTokenResp(OM_uint32 *minor_status,
+ }
+ if (tag == (CONTEXT | 0x02)) {
+ tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
+- if (tmplen < 0)
++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
+ return GSS_S_DEFECTIVE_TOKEN;
+
+ *responseToken = get_input_token(&ptr, REMAIN);
+@@ -2156,7 +2154,7 @@ get_negTokenResp(OM_uint32 *minor_status,
+ }
+ if (tag == (CONTEXT | 0x03)) {
+ tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
+- if (tmplen < 0)
++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
+ return GSS_S_DEFECTIVE_TOKEN;
+
+ *mechListMIC = get_input_token(&ptr, REMAIN);
+@@ -2464,6 +2462,8 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted,
+
+ if (outbuf == GSS_C_NO_BUFFER)
+ return (GSS_S_DEFECTIVE_TOKEN);
++ if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID)
++ return (GSS_S_DEFECTIVE_TOKEN);
+
+ outbuf->length = 0;
+ outbuf->value = NULL;
+@@ -2715,7 +2715,7 @@ g_get_tag_and_length(unsigned char **buf, int tag,
+ &encoded_len);
+ if (tmplen < 0) {
+ ret = -1;
+- } else if (tmplen > buflen - (ptr - *buf)) {
++ } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) {
+ ret = -1;
+ } else
+ ret = 0;
+--- src/lib/krb5/asn.1/asn1buf.c
++++ src/lib/krb5/asn.1/asn1buf.c
+@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code)
+
+ asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
+ {
++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+ subbuf->base = subbuf->next = buf->next;
+ if (!indef) {
++ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
+ subbuf->bound = subbuf->base + length - 1;
+- if (subbuf->bound > buf->bound)
+- return ASN1_OVERRUN;
+ } else /* constructed indefinite */
+ subbuf->bound = buf->bound;
+ return 0;
+@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len,
+ {
+ int i;
+
++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+ if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+ if (len == 0) {
+ *s = 0;
+@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len,
+ {
+ int i;
+
++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+ if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+ if (len == 0) {
+ *s = 0;
diff --git a/network/krb5/patches/2009-002-patch.txt b/network/krb5/patches/2009-002-patch.txt
new file mode 100644
index 0000000000000..49bf29f07cd95
--- /dev/null
+++ b/network/krb5/patches/2009-002-patch.txt
@@ -0,0 +1,35 @@
+--- src/lib/krb5/asn.1/asn1_decode.c
++++ src/lib/krb5/asn.1/asn1_decode.c
+@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
+
+ if(length != 15) return ASN1_BAD_LENGTH;
+ retval = asn1buf_remove_charstring(buf,15,&s);
++ if (retval) return retval;
+ /* Time encoding: YYYYMMDDhhmmssZ */
+ if(s[14] != 'Z') {
+ free(s);
+--- src/tests/asn.1/krb5_decode_test.c
++++ src/tests/asn.1/krb5_decode_test.c
+@@ -485,6 +485,22 @@ int main(argc, argv)
+ ktest_destroy_keyblock(&(ref.subkey));
+ ref.seq_number = 0;
+ decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
++
++ retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
++ if (retval) {
++ com_err("krb5_decode_test", retval, "while parsing");
++ exit(1);
++ }
++ retval = decode_krb5_ap_rep_enc_part(&code, &var);
++ if (retval != ASN1_OVERRUN) {
++ printf("ERROR: ");
++ } else {
++ printf("OK: ");
++ }
++ printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
++ krb5_free_data_contents(test_context, &code);
++ krb5_free_ap_rep_enc_part(test_context, var);
++
+ ktest_empty_ap_rep_enc_part(&ref);
+ }
+
generated by cgit v1.2.3 (git 2.26.2) at 2025-01-23 22:18:32 +0000