[PATCH] heimdal - avoid an endless loop when KDC replies KRB5KDC_ERR_SVC_UNAVAILABLE

Uri Simchoni urisimchoni at gmail.com
Mon Jun 15 23:24:45 MDT 2015


I tried avoiding THIS discussion by also submitting it upstream.
Looking at the upstream heimdal code:
- The bug seems to no longer exist (there's no nesting like here)
- The send code is a rewrite, making me uncomfortable in back-porting
it as a fix to this particular problem.
- When reviewing upstream heimdal code I did find a tiny bug of
swapped debug prints (print success in case of failure and vice versa)
but did not manage to submit it to the heimdal-discuss mailing list as
the web server that manages subscriptions to the list (list.sics.se)
appears to be dead.

I hope the comments in the commit message about the upstream fix will
help in pulling back a newer heimdal. Everyone are invited to review
upstream Heimdal code to verify that indeed the problem is fixed.

Thanks,
Uri.

On Tue, Jun 16, 2015 at 7:59 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Tue, Jun 16, 2015 at 02:12:09AM +0300, Alexander Bokovoy wrote:
>> On Tue, Jun 16, 2015 at 12:33:41AM +0300, Uri Simchoni wrote:
>> > !krb5_krbhst_retry_exceeded() is the equivalent of i<context->max_retries,
>> > krb5_krbhst_retry() at the end of the loop is the equivalent of ++i
>> > (which is also executed at the end of the loop).
>> >
>> > So unless I'm missing something, logic hasn't changed, it's the same
>> > loop with same exit conditions as before, except the loop counter
>> > doesn't start from zero on subsequent invocation if the history has
>> > not been re-created.
>> Thanks. We actually went with Jeremy right now over the flow and we now
>> are convinced you are right.
>>
>> Thanks, that makes two ACKs but the question is do we want to patch
>> in-tree Heimdal...
>
> Not THIS discussion again please. Just freakin' push it.
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de


More information about the samba-technical mailing list