[PATCH] Implement a more abstracted kpasswd service

Jeremy Allison jra at samba.org
Fri Sep 9 21:27:08 UTC 2016


On Fri, Sep 09, 2016 at 10:10:52AM +0200, Andreas Schneider wrote:
> On Thursday, 8 September 2016 15:26:20 CEST Jeremy Allison wrote:
> > On Wed, Sep 07, 2016 at 06:02:45PM +0200, Andreas Schneider wrote:
> > > Hi Andrew,
> > > 
> > > I've implemented a working kpasswd service with MIT Kerberos in the
> > > meantime. This patchset is the work to cleanup Heimdal code and prepare
> > > for later MIT Kerberos code.
> > > 
> > > I've started with splitting up the test_passwords.sh test. Now we have a
> > > test_password_settings.sh and test_kpasswd_heimdal.sh test.
> > > 
> > > The test_kpasswd_heimdal.sh only tests the kpasswd service implementation
> > > in different ways. It has some additional tests, like doing a password
> > > change with kinit.
> > > 
> > > Next I reworked the kpasswd service implementation to be able to share
> > > code
> > > which is not Kerberos flavor specific.
> > > 
> > > The patchset is attached but you can also find it here:
> > > 
> > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-kpas
> > > swd
> > > 
> > > 
> > > Please review and push if appropriate!
> > 
> > Pushed the first 4 patches as they're obviously correct.
> > 
> > Still looking over the rest !
> 
> Thanks you very much Jeremy!

Pushed the next 8 with one change.

In:

[PATCH 11/18] s4-kdc: Move kpasswd_make_error_reply() to a helper file.

You have:

+       /*
+        * The string 's' has two terminating nul-bytes which are also
+        * reflected by 'slen'. Normally Kerberos doesn't expect that strings
+        * are nul-terminated, but Heimdal does!
+        */
+#ifndef SAMBA4_USES_HEIMDAL
+       slen -= 2;
+#endif
+       error_data->length = 2 + slen;

I changed this to:

+       /*
+        * The string 's' has two terminating nul-bytes which are also
+        * reflected by 'slen'. Normally Kerberos doesn't expect that strings
+        * are nul-terminated, but Heimdal does!
+        */
+#ifndef SAMBA4_USES_HEIMDAL
+       if (slen < 2) {
+               return false;
+       }
+       slen -= 2;
+#endif
+       if (2 + slen < slen) {
+               return false;
+       }
+       error_data->length = 2 + slen;

- note the extra checks on slen to prevent integer
overflow/underflow.

Cheers,

Jeremy.



More information about the samba-technical mailing list