[PATCH] Allow Kerberos CHANGEPW request to fallback to TCP
todd stecher
tstecher at isilon.com
Thu Mar 23 18:58:01 GMT 2006
On Wed, 2006-03-22 at 15:46 -0800, Jeremy Allison wrote:
> Thought you'd want a little feedback... It's good to know that
> even the people who wrote Microsoft's krb5 implementation can't
> write error free krb5 code (JOKE, JOKE, ok ! :-). No one writes
> error free krb5 code - especially me :-) :-).
>
I think in the broad scope of things that the MS KDC may be doing the
wrong thing - so I count this as 2 Todd bugs, technically.
> There's a memory leak around the krb5_rd_error() call you added.
> The API docs say that the krb5_error struct returned from
> krb5_rd_error() must be freed with krb5_free_error(), which you
> do in the codepath where krberror->e_data.data == NULL, but if
> this isn't the case (can that happen?) then it'll leak memory
> and bleed into the rest of the "successful packet" code. After
> the Coverity static analyzer ripped us a new one over things
> like this I'm a little sensitive on these issues :-).
>
Good catch - thanks for reviewing this.
The edata is likely completely irrelevant for a KRB_ERROR returned for
the setpassword protocol, but my reading of the RFC is that it is
*possible* to send back errors in this field. I copied this code from
1.4.1 MIT Kerberos, which preserves the edata in case it contains one of
the 7 or 8 possible setpassword / changepassword errors.
It's fairly straightforward to check for this case and return the
correct error without leaking memory. I'll fix that up and resend the
updated patch.
> I think we need a krb5_free_error(), return XXX after this
> section of the code (but what should XXX be there ?). The
> other issue is that this probably won't work with Heimdal, as
> the ERROR_TABLE_BASE_krb5 macro is almost certainly MIT
> specific.
>
Hmm... I hadn't considered that - however, the Kerberos Samba code is
already using errors from the MIT codebase's krb5_err.h, right? This
should be roughly equal to Heimdahl's implementation whenever receiving
kerberos errors off the wire. I'll triple check, but other viewpoints
are certainly welcome.
> Do you want me to have a go at fixing this and post it to
> the list for your review or do you want to address this
> yourself ?
I'll have this done tomorrow.
--
Todd Stecher
Isilon Systems
220 W. Mercer St. | Seattle, WA 98119
Isilon's hiring... | www.isilon.com/Careers
More information about the samba-technical
mailing list