Hi. I'd like permission to upload the following patch to s-p-u. I've coordinated with the security team for the security issues and our mutual agreement is that they should be addressed in a point release.
diff --git a/debian/changelog b/debian/changelog index 27673a6..13cea43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low + + * Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517 + * Updated Danish debconf translations, thanks Joe Dalton, Closes: + #584282 + * KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282, + Closes: #613487 + * Fix delegation of credentials against Windows servers; significant + interoperability issue, Closes: #611906 + * Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes: + #616429 + * Don't fail authentication when PAC verification fails; support hmac- + md5 checksums even for non-RC4 keys, Closes: #616728 + + -- Sam Hartman <hartmans@debian.org> Wed, 16 Mar 2011 11:52:06 -0400 + krb5 (1.8.3+dfsg-4) unstable; urgency=medium * Ignore PACs without a server signature generated by OS X Open diff --git a/debian/po/da.po b/debian/po/da.po index 11c207a..1a66e29 100644 --- a/debian/po/da.po +++ b/debian/po/da.po @@ -1,33 +1,26 @@ -# -# Translators, if you are not familiar with the PO format, gettext -# documentation is worth reading, especially sections dedicated to -# this format, e.g. by running: -# info -n '(gettext)PO Files' -# info -n '(gettext)Header Entry' -# Some information specific to po-debconf are available at -# /usr/share/doc/po-debconf/README-trans -# or http://www.debian.org/intl/l10n/po-debconf/README-trans# -# Developers do not need to manually edit POT or PO files. -# +# Dansih translation krb5. +# Copyright (C) 2010 krb5 & nedenstÃ¥ende oversættere. +# This file is distributed under the same license as the krb5 package. # Claus Hindsgaul <claus_h@image.dk>, 2006. +# Joe Hansen <joedalton2@yahoo.dk>, 2010. +# msgid "" msgstr "" "Project-Id-Version: krb5\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-02-21 13:55-0500\n" -"PO-Revision-Date: 2006-01-26 21:55+0100\n" -"Last-Translator: Claus Hindsgaul <claus_h@image.dk>\n" -"Language-Team: Danish <dansk@klid.dk>\n" +"PO-Revision-Date: 2010-06-02 17:30+01:00\n" +"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n" +"Language-Team: Danish <debian-l10n-danish@lists.debian.org> \n" "MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"X-Generator: KBabel 1.11.1\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" -msgstr "Sætter et Kerberos-rige op" +msgstr "Sætter et Kerberos-rige op" #. Type: note #. Description @@ -36,6 +29,8 @@ msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" +"Denne pakke indeholder de administrative værktøjer krævet til at køre " +"Kerberos' masterserver." #. Type: note #. Description @@ -44,6 +39,9 @@ msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" +"Installation af denne pakke medfører dog ikke automatisk, at et " +"Kerberos-rige bliver sat op. Dette kan gøres senere ved at køre kommandoen " +"»krb5_newrealm«." #. Type: note #. Description @@ -52,13 +50,14 @@ msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" +"Læs venligst ogsÃ¥ filen /usr/share/doc/krb5-kdc/README.KDC og " +"administrationsvejledningen, der kan ses i pakken krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 -#, fuzzy msgid "Run the Kerberos V5 administration daemon (kadmind)?" -msgstr "Skal Kerberos5-administrationsdæmonen (kadmind) køres?" +msgstr "Skal administrationsdæmonen Kerberos5 (kadmind) køres?" #. Type: boolean #. Description @@ -67,6 +66,8 @@ msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" +"Kadmindservere anmoder om at tilføje/ændre/fjerne vigtige ting i " +"kerberosdatabasen." #. Type: boolean #. Description @@ -75,13 +76,14 @@ msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" +"Den er krævet af kpasswd-programmet, brugt til at ændre adgangskoder. " +"Med standardopsætning, skal denne dæmon køre pÃ¥ master-KDC'en." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 -#, fuzzy msgid "Create the Kerberos KDC configuration automatically?" -msgstr "Opret Kerberos KDC-opsætning med debconf?" +msgstr "Opret automatisk Kerberos KDC-konfigurationen?" #. Type: boolean #. Description @@ -90,6 +92,8 @@ msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" +"Konfigurationsfilerne for Kerberos Key Distribution Center (KDC) i /etc/" +"krb5kdc, kan oprettes automatisk." #. Type: boolean #. Description @@ -98,6 +102,8 @@ msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" +"Som standard vil en eksempelskabelon blive kopieret ind i denne mappe med " +"lokale parametre udfyldt." #. Type: boolean #. Description @@ -106,28 +112,27 @@ msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" +"Administratorer, som allerede har infrastruktur til hÃ¥ndtering af deres " +"Kerberoskonfiguration, vil mÃ¥ske ønske at deaktivere disse automatiske " +"konfigurationsændringer." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" -msgstr "" +msgstr "Skal KDC-databasen slettes?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 -#, fuzzy msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Som udgangspunkt vil KDC-databasen i /var/lib/krb5kdc/principal ikke blive " -"slettet, når pakken afinstalleres, da denne database ikke kan genskabes, når " -"den er slettet. Hvis du ønsker at slette din KDC-database, når denne pakke " -"afinstalleres, vel vidende at det betyder at alle dine brugerkonti og " -"adgangskoder i KDC'en dermed bliver slettet ved afinstallation, skal du " -"aktivere denne indstilling." +"slettet, nÃ¥r pakken afinstalleres, da denne database ikke kan genskabes, nÃ¥r " +"den er slettet." #. Type: boolean #. Description @@ -136,94 +141,6 @@ msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" +"Vælg denne indstilling hvis du ønsker at slette KDC-databasen nu, dermed " +"slettes alle brugerkonti og adgangskoder i KDC'en." -#, fuzzy -#~ msgid "Kerberos V4 compatibility mode to use:" -#~ msgstr "Kerberos4-kompatibilitetstilstand, der skal benyttes:" - -#, fuzzy -#~ msgid "" -#~ "By default, Kerberos V4 requests are allowed from principals that do not " -#~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " -#~ "services to exist while requiring most users to use Kerberos V5 clients " -#~ "to get their initial tickets. These tickets can then be converted to " -#~ "Kerberos V4 tickets." -#~ msgstr "" -#~ "Som udgangspunkt tillades Kerberos4-forespørgsler fra elementer, der ikke " -#~ "kræver præ-autentifikation. Det vil gøre det muligt at bevare Kerberos4-" -#~ "services, mens de fleste brugere tvinges til at bruge Kerberos5-klienter " -#~ "til at opnå deres første billetter. Disse billetter kan derefter omsættes " -#~ "til Kerberos4-billeter. Alternativt kan man vælge fuld tilstand, som " -#~ "tillader Kerberos4 at få de første billetter, selvom præautentifikation " -#~ "normalt ville have været påkrævet, eller vælge at deaktivere, hvilket vil " -#~ "deaktivere al understøttelse af Kerberos4." - -#~ msgid "Should the data be purged as well as the package files?" -#~ msgstr "Skal data slettes, når pakkens afinstalleres?" - -#~ msgid "" -#~ "This package contains the administrative tools necessary to run on the " -#~ "Kerberos master server. However, installing this package does not " -#~ "automatically set up a Kerberos realm. Doing so requires entering " -#~ "passwords and as such is not well-suited for package installation. To " -#~ "create the realm, run the krb5_newrealm command. You may also wish to " -#~ "read /usr/share/doc/krb5-kdc/README.KDC and the administration guide " -#~ "found in the krb5-doc package." -#~ msgstr "" -#~ "Denne pakke indeholder de nødvendige administrationsværktøjer til kørsel " -#~ "på Kerberos-hovedserveren. Installationen af denne pakke sætter dog ikke " -#~ "automatisk et Kerberos-rige ('realm') op. Det kræver indtastning af " -#~ "adgangskoder, hvilket ikke egner sig til pakkeinstallationen. For at " -#~ "oprette riget, skal du udføre kommandoen krb5_newrealm. Du kan også læse /" -#~ "usr/share/doc/krb5-kdc/README.KDC og administrationsguiden i pakken krb5-" -#~ "doc." - -#~ msgid "" -#~ "Don't forget to set up DNS information so your clients can find your KDC " -#~ "and admin servers. Doing so is documented in the administration guide." -#~ msgstr "" -#~ "Glem ikke at sætte DNS-oplysningerne op, så dine klienter kan finde dine " -#~ "KDC- og admin-servere. Fremgangsmåden er dokumenteret i " -#~ "administrationsguiden." - -#~ msgid "" -#~ "Kadmind serves requests to add/modify/remove principals in the Kerberos " -#~ "database. It also must be running for the kpasswd program to be used to " -#~ "change passwords. Normally, this daemon runs on the master KDC." -#~ msgstr "" -#~ "Kadmind håndterer forespørgsler om at tilføje/ændre/fjerne elementer i " -#~ "Kerberos-databasen. Den skal køre for at kpasswd-programmet kan benyttes " -#~ "til at ændre adgangskoder. Normalt kører denne dæmon på hoved-KDC'en." - -#~ msgid "" -#~ "Many sites will wish to have this script automatically create Kerberos " -#~ "KDC configuration files in /etc/krb5kdc. By default an example template " -#~ "will be copied into this directory with local parameters filled in. Some " -#~ "sites who already have infrastructure to manage their own Kerberos " -#~ "configuration will wish to disable any automatic configuration changes." -#~ msgstr "" -#~ "Mange vil vælge at lade dette script oprette Kerberos KDC-opsætningsfiler " -#~ "i /etc/krb5kdc automatisk. Som udgangspunkt vil en eksempel-skabelon " -#~ "blive kopieret til denne mappe med lokale paremetre udfyldt på forhånd. " -#~ "Dem, der allerede har infrastruktur til at håndtere deres egen Kerberos-" -#~ "opsætning, kan vælge at deaktivere alle automatiske ænderinger i " -#~ "opsætningen." - -#~ msgid "disable, full, nopreauth, none" -#~ msgstr "deaktivér, fuld, ejpræaut, ingen" - -#~ msgid "Run a krb524d?" -#~ msgstr "Kør en krb524d?" - -#~ msgid "" -#~ "Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 " -#~ "tickets for the krb524init program. If you have Kerberos4 enabled at " -#~ "all, then you probably want to run this program. Especially when " -#~ "Kerberos4 compatibility is set to nopreauth, krb524d is important if you " -#~ "have any Kerberos4 services." -#~ msgstr "" -#~ "Krb524d er en dæmon, der omsætter Kerberos5-billetter til Kerberos4-" -#~ "billetter til programmet krb524init. Hvis du overhovedet har aktiveret " -#~ "Kerberos4, skal du sikkert køre dette program. krb524d er især vigtig, " -#~ "hvis Kerberos4-kompatibiliteten er sat til ejpræaut, og du har Kerberos4-" -#~ "services kørende." diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 3924297..4eb752c 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -784,6 +784,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, pad->contents = td[size]->data; pad->length = td[size]->length; pa[size] = pad; + td[size]->data = NULL; + td[size]->length = 0; } krb5_free_typed_data(kdc_context, td); } diff --git a/src/lib/crypto/krb/checksum/hmac_md5.c b/src/lib/crypto/krb/checksum/hmac_md5.c index 4812907..784b746 100644 --- a/src/lib/crypto/krb/checksum/hmac_md5.c +++ b/src/lib/crypto/krb/checksum/hmac_md5.c @@ -52,7 +52,7 @@ krb5_error_code krb5int_hmacmd5_checksum(const struct krb5_cksumtypes *ctp, return KRB5_BAD_ENCTYPE; if (ctp->ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR) { /* Compute HMAC(key, "signaturekey\0") to get the signing key ks. */ - ret = alloc_data(&ds, key->keyblock.length); + ret = alloc_data(&ds, ctp->hash->hashsize); if (ret != 0) goto cleanup; diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index e3358b8..8b6ba20 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -234,9 +234,7 @@ struct gss_checksum_data { krb5_data checksum_data; }; -#ifdef CFX_EXERCISE #include "../../krb5/krb/auth_con.h" -#endif static krb5_error_code KRB5_CALLCONV make_gss_checksum (krb5_context context, krb5_auth_context auth_context, void *cksum_data, krb5_data **out) @@ -247,6 +245,7 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, struct gss_checksum_data *data = cksum_data; krb5_data credmsg; unsigned int junk; + krb5_key send_subkey; data->checksum_data.data = 0; credmsg.data = 0; @@ -262,13 +261,22 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, assert(data->cred->name != NULL); + /* + * RFC 4121 4.1.1 specifies forwarded credentials must be encrypted in + * the session key, but krb5_fwd_tgt_creds will use the send subkey if + * it's set in the auth context. Null out the send subkey temporarily. + */ + send_subkey = auth_context->send_subkey; + auth_context->send_subkey = NULL; + code = krb5_fwd_tgt_creds(context, auth_context, 0, data->cred->name->princ, data->ctx->there->princ, data->cred->ccache, 1, &credmsg); - /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */ + /* Turn KRB5_AUTH_CONTEXT_DO_TIME back on and reset the send subkey. */ krb5_auth_con_setflags(context, auth_context, con_flags); + auth_context->send_subkey = send_subkey; if (code) { /* don't fail here; just don't accept/do the delegation diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index e46e7ac..15619a8 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1023,8 +1023,19 @@ build_in_tkt_name(krb5_context context, client->realm.length, client->realm.data, 0); + if (ret) + return ret; } - return ret; + /* + * Windows Server 2008 R2 RODC insists on TGS principal names having the + * right name type. + */ + if (krb5_princ_size(context, *server) == 2 && + data_eq_string(*krb5_princ_component(context, *server, 0), + KRB5_TGS_NAME)) { + krb5_princ_type(context, *server) = KRB5_NT_SRV_INST; + } + return 0; } void KRB5_CALLCONV diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 50b2969..d89c380 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -684,16 +684,8 @@ krb5_pac_verify(krb5_context context, return EINVAL; ret = k5_pac_verify_server_checksum(context, pac, server); - if (ret == ENOENT) { - /* - * Apple Mac OS X Server Open Directory KDC (at least 10.6) - * appears to provide a PAC that lacks a server checksum. - */ - pac->verified = FALSE; - return ret; - } else if (ret != 0) { + if (ret != 0) return ret; - } if (privsvr != NULL) { ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); @@ -1095,35 +1087,18 @@ mspac_verify(krb5_context kcontext, if (pacctx->pac == NULL) return EINVAL; - code = krb5_pac_verify(kcontext, - pacctx->pac, + code = krb5_pac_verify(kcontext, pacctx->pac, req->ticket->enc_part2->times.authtime, - req->ticket->enc_part2->client, - key, - NULL); + req->ticket->enc_part2->client, key, NULL); /* - * If the server checksum is not found, return success to - * krb5int_authdata_verify() to work around an apparent Open - * Directory bug. Non-verified PACs won't be returned by - * mspac_get_attribute(). + * If the above verification failed, don't fail the whole authentication, + * just don't mark the PAC as verified. A checksum mismatch can occur if + * the PAC was copied from a cross-realm TGT by an ignorant KDC, and Apple + * Mac OS X Server Open Directory (as of 10.6) generates PACs with no + * server checksum at all. */ - if (code == ENOENT && !pacctx->pac->verified) { - code = 0; - } - -#if 0 - /* - * Now, we could return 0 and just set pac->verified to FALSE. - * Thoughts? - */ - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - assert(pacctx->pac->verified == FALSE); - code = 0; - } -#endif - - return code; + return 0; } static void diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 1ca09b4..60caf3d 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er #define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS) #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \ - do { \ - st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \ - if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ - tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ - if (ldap_server_handle) \ - ld = ldap_server_handle->ldap_handle; \ - } \ - }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \ + tempst = 0; \ + st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \ + NULL, &timelimit, LDAP_NO_LIMIT, &result); \ + if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \ + tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \ + if (ldap_server_handle) \ + ld = ldap_server_handle->ldap_handle; \ + if (tempst == 0) \ + st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \ + NULL, NULL, &timelimit, \ + LDAP_NO_LIMIT, &result); \ + } \ \ if (status_check != IGNORE_STATUS) { \ if (tempst != 0) { \ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index 82b0333..84e80ee 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context, { krb5_ldap_server_handle *handle = *ldap_server_handle; + ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL); if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS) || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index f549e23..b70940f 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context, * portion, then the first portion of the principal name SHOULD be * "krbtgt". All this check is done in the immediate block. */ - if (searchfor->length == 2) - if ((strncasecmp(searchfor->data[0].data, "krbtgt", - FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) && - (strncasecmp(searchfor->data[1].data, defrealm, - FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0)) + if (searchfor->length == 2) { + if (data_eq_string(searchfor->data[0], "krbtgt") && + data_eq_string(searchfor->data[1], defrealm)) return 0; + } /* first check the length, if they are not equal, then they are not same */ if (strlen(defrealm) != searchfor->realm.length) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 7ad31da..626ed1f 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, unsigned int flags, krb5_db_entry *entries, int *nentries, krb5_boolean *more) { - char *user=NULL, *filter=NULL, **subtree=NULL; + char *user=NULL, *filter=NULL, *filtuser=NULL; unsigned int tree=0, ntrees=1, princlen=0; krb5_error_code tempst=0, st=0; - char **values=NULL, *cname=NULL; + char **values=NULL, **subtree=NULL, *cname=NULL; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; krb5_ldap_context *ldap_context=NULL; @@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, if ((st=krb5_ldap_unparse_principal_name(user)) != 0) goto cleanup; - princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ + filtuser = ldap_filter_correct(user); + if (filtuser == NULL) { + st = ENOMEM; + goto cleanup; + } + + princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */ if ((filter = malloc(princlen)) == NULL) { st = ENOMEM; goto cleanup; } - snprintf(filter, princlen, FILTER"%s))", user); + snprintf(filter, princlen, FILTER"%s))", filtuser); if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) goto cleanup; @@ -231,6 +237,9 @@ cleanup: if (user) free(user); + if (filtuser) + free(filtuser); + if (cname) free(cname); diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c index ef43e4a..bf6bdad 100644 --- a/src/slave/kpropd.c +++ b/src/slave/kpropd.c @@ -398,11 +398,11 @@ retry: } close(s); - if (iproprole == IPROP_SLAVE) + if (iproprole == IPROP_SLAVE) { close(finet); - - if ((ret = WEXITSTATUS(status)) != 0) - return (ret); + if ((ret = WEXITSTATUS(status)) != 0) + return (ret); + } } if (iproprole == IPROP_SLAVE) break;
Attachment:
pgp1LHFoMZ0oJ.pgp
Description: PGP signature