Patch from MITKRB5-SA-2008-001.

Index: src/kdc/dispatch.c

===================================================================

--- src/kdc/dispatch.c	(revision 20192)

+++ src/kdc/dispatch.c	(working copy)

@@ -1,7 +1,7 @@

 /*

  * kdc/dispatch.c

  *

- * Copyright 1990 by the Massachusetts Institute of Technology.

+ * Copyright 1990, 2007 by the Massachusetts Institute of Technology.

  *

  * Export of this software from the United States of America may

  *   require a specific license from the United States Government.

@@ -107,7 +107,7 @@

 	retval = KRB5KRB_AP_ERR_MSG_TYPE;

 #ifndef NOCACHE

     /* put the response into the lookaside buffer */

-    if (!retval)

+    if (!retval && *response != NULL)

 	kdc_insert_lookaside(pkt, *response);

 #endif

Index: src/kdc/kerberos_v4.c

===================================================================

--- src/kdc/kerberos_v4.c	(revision 20192)

+++ src/kdc/kerberos_v4.c	(working copy)

@@ -1,7 +1,7 @@

 /*

  * kdc/kerberos_v4.c

  *

- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute

+ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute

  * of Technology.

  * All Rights Reserved.

  *

@@ -87,11 +87,6 @@

 #define		MSB_FIRST		0	/* 68000, IBM RT/PC */

 #define		LSB_FIRST		1	/* Vax, PC8086 */

-int     f;

-

-/* XXX several files in libkdb know about this */

-char *progname;

-

 #ifndef BACKWARD_COMPAT

 static Key_schedule master_key_schedule;

 static C_Block master_key;

@@ -143,10 +138,8 @@

 #include "com_err.h"

 #include "extern.h"		/* to pick up master_princ */

-static krb5_data *response;

-

-void kerberos_v4 (struct sockaddr_in *, KTEXT);

-void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);

+static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT);

+static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);

 static int set_tgtkey (char *, krb5_kvno, krb5_boolean);

 /* Attributes converted from V5 to V4 - internal representation */

@@ -262,12 +255,12 @@

 	    (void) klog(L_KRB_PERR, "V4 request too long.");

 	    return KRB5KRB_ERR_FIELD_TOOLONG;

     }

+    memset( &v4_pkt, 0, sizeof(v4_pkt));

     v4_pkt.length = pkt->length;

     v4_pkt.mbz = 0;

     memcpy( v4_pkt.dat, pkt->data, pkt->length);

-    kerberos_v4( &client_sockaddr, &v4_pkt);

-    *resp = response;

+    *resp = kerberos_v4( &client_sockaddr, &v4_pkt);

     return(retval);

 }

@@ -300,19 +293,20 @@

 }

 static

-int krb4_sendto(int s, const char *msg, int len, int flags,

-		const struct sockaddr *to, int to_len)

+krb5_data *make_response(const char *msg, int len)

 {

+    krb5_data *response;

+

     if (  !(response = (krb5_data *) malloc( sizeof *response))) {

-	return ENOMEM;

+	return 0;

     }

     if ( !(response->data = (char *) malloc( len))) {

 	krb5_free_data(kdc_context,  response);

-	return ENOMEM;

+	return 0;

     }

     response->length = len;

     memcpy( response->data, msg, len);

-    return( 0);

+    return response;

 }

 static void

 hang(void)

@@ -586,7 +580,7 @@

 	*cp = 0;

 }

-void

+static krb5_data *

 kerberos_v4(struct sockaddr_in *client, KTEXT pkt)

 {

     static KTEXT_ST rpkt_st;

@@ -599,8 +593,8 @@

     KTEXT   auth = &auth_st;

     AUTH_DAT ad_st;

     AUTH_DAT *ad = &ad_st;

+    krb5_data *response = 0;

-

     static struct in_addr client_host;

     static int msg_byte_order;

     static int swap_bytes;

@@ -637,8 +631,7 @@

 		  inet_ntoa(client_host));

 	/* send an error reply */

 	req_name_ptr = req_inst_ptr = req_realm_ptr = "";

-	kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);

-	return;

+	return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);

     }

     /* check packet version */

@@ -648,8 +641,7 @@

 		  KRB_PROT_VERSION, req_version, 0);

 	/* send an error reply */

 	req_name_ptr = req_inst_ptr = req_realm_ptr = "";

-	kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);

-	return;

+	return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);

     }

     msg_byte_order = req_msg_type & 1;

@@ -707,10 +699,10 @@

 	    if ((i = check_princ(req_name_ptr, req_inst_ptr, 0,

 				 &a_name_data, &k5key, 0, &ck5life))) {

-		kerb_err_reply(client, pkt, i, "check_princ failed");

+		response = kerb_err_reply(client, pkt, i, "check_princ failed");

 		a_name_data.key_low = a_name_data.key_high = 0;

 		krb5_free_keyblock_contents(kdc_context, &k5key);

-		return;

+		return response;

 	    }

 	    /* don't use k5key for client */

 	    krb5_free_keyblock_contents(kdc_context, &k5key);

@@ -722,11 +714,11 @@

 	    /* this does all the checking */

 	    if ((i = check_princ(service, instance, lifetime,

 				 &s_name_data, &k5key, 1, &sk5life))) {

-		kerb_err_reply(client, pkt, i, "check_princ failed");

+		response = kerb_err_reply(client, pkt, i, "check_princ failed");

 		a_name_data.key_high = a_name_data.key_low = 0;

 		s_name_data.key_high = s_name_data.key_low = 0;

 		krb5_free_keyblock_contents(kdc_context, &k5key);

-		return;

+		return response;

 	    }

 	    /* Bound requested lifetime with service and user */

 	    v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);

@@ -797,8 +789,7 @@

 	    rpkt = create_auth_reply(req_name_ptr, req_inst_ptr,

 		req_realm_ptr, req_time_ws, 0, a_name_data.exp_date,

 		a_name_data.key_version, ciph);

-	    krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,

-		   (struct sockaddr *) client, sizeof (struct sockaddr_in));

+	    response = make_response((char *) rpkt->dat, rpkt->length);

 	    memset(&a_name_data, 0, sizeof(a_name_data));

 	    memset(&s_name_data, 0, sizeof(s_name_data));

 	    break;

@@ -824,9 +815,8 @@

 		lt = klog(L_KRB_PERR,

 			  "APPL request with realm length too long from %s",

 			  inet_ntoa(client_host));

-		kerb_err_reply(client, pkt, RD_AP_INCON,

-			       "realm length too long");

-		return;

+		return kerb_err_reply(client, pkt, RD_AP_INCON,

+				      "realm length too long");

 	    }

 	    auth->length += (int) *(pkt->dat + auth->length) +

@@ -835,9 +825,8 @@

 		lt = klog(L_KRB_PERR,

 			  "APPL request with funky tkt or req_id length from %s",

 			  inet_ntoa(client_host));

-		kerb_err_reply(client, pkt, RD_AP_INCON,

-			       "funky tkt or req_id length");

-		return;

+		return kerb_err_reply(client, pkt, RD_AP_INCON,

+				      "funky tkt or req_id length");

 	    }

 	    memcpy(auth->dat, pkt->dat, auth->length);

@@ -848,18 +837,16 @@

 	    if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {

 	      lt = klog(L_ERR_UNK,

 			"Cross realm ticket from %s denied by policy,", tktrlm);

-	      kerb_err_reply(client, pkt,

-			       KERB_ERR_PRINCIPAL_UNKNOWN, lt);

-		return;

+	      return kerb_err_reply(client, pkt,

+				    KERB_ERR_PRINCIPAL_UNKNOWN, lt);

 	    }

 	    if (set_tgtkey(tktrlm, kvno, 0)) {

-	      lt = klog(L_ERR_UNK,

+		lt = klog(L_ERR_UNK,

 			  "FAILED set_tgtkey realm %s, kvno %d. Host: %s ",

 			  tktrlm, kvno, inet_ntoa(client_host));

 		/* no better error code */

-		kerb_err_reply(client, pkt,

-			       KERB_ERR_PRINCIPAL_UNKNOWN, lt);

-		return;

+		return kerb_err_reply(client, pkt,

+				      KERB_ERR_PRINCIPAL_UNKNOWN, lt);

 	    }

 	    kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,

 		ad, 0);

@@ -869,9 +856,8 @@

 			      "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",

 			      tktrlm, kvno, inet_ntoa(client_host));

 		    /* no better error code */

-		    kerb_err_reply(client, pkt,

-				   KERB_ERR_PRINCIPAL_UNKNOWN, lt);

-		    return;

+		    return kerb_err_reply(client, pkt,

+					  KERB_ERR_PRINCIPAL_UNKNOWN, lt);

 		}

 		kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,

 				   ad, 0);

@@ -881,8 +867,7 @@

 		klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",

 		     inet_ntoa(client_host), krb_get_err_text(kerno));

 		req_name_ptr = req_inst_ptr = req_realm_ptr = "";

-		kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");

-		return;

+		return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");

 	    }

 	    ptr = (char *) pkt->dat + auth->length;

@@ -904,22 +889,21 @@

 	    req_realm_ptr = ad->prealm;

 	    if (strcmp(ad->prealm, tktrlm)) {

-		kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,

-		     "Can't hop realms");

-		return;

+		return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,

+				      "Can't hop realms");

 	    }

 	    if (!strcmp(service, "changepw")) {

-		kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,

-		     "Can't authorize password changed based on TGT");

-		return;

+		return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,

+				      "Can't authorize password changed based on TGT");

 	    }

 	    kerno = check_princ(service, instance, req_life,

 				&s_name_data, &k5key, 1, &sk5life);

 	    if (kerno) {

-		kerb_err_reply(client, pkt, kerno, "check_princ failed");

+		response = kerb_err_reply(client, pkt, kerno,

+					  "check_princ failed");

 		s_name_data.key_high = s_name_data.key_low = 0;

 		krb5_free_keyblock_contents(kdc_context, &k5key);

-		return;

+		return response;

 	    }

 	    /* Bound requested lifetime with service and user */

 	    v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);

@@ -975,8 +959,7 @@

 	    rpkt = create_auth_reply(ad->pname, ad->pinst,

 				     ad->prealm, time_ws,

 				     0, 0, 0, ciph);

-	    krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,

-		   (struct sockaddr *) client, sizeof (struct sockaddr_in));

+	    response = make_response((char *) rpkt->dat, rpkt->length);

 	    memset(&s_name_data, 0, sizeof(s_name_data));

 	    break;

 	}

@@ -1001,6 +984,7 @@

 	    break;

 	}

     }

+    return response;

 }

@@ -1010,7 +994,7 @@

  * client. 

  */

-void

+static krb5_data *

 kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string)

 {

     static KTEXT_ST e_pkt_st;

@@ -1021,9 +1005,7 @@

     strncat(e_msg, string, sizeof(e_msg) - 1 - 19);

     cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,

 		 req_time_ws, err, e_msg);

-    krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0,

-	   (struct sockaddr *) client, sizeof (struct sockaddr_in));

-

+    return make_response((char *) e_pkt->dat, e_pkt->length);

 }

 static int

Index: src/kdc/network.c

===================================================================

--- src/kdc/network.c	(revision 20192)

+++ src/kdc/network.c	(working copy)

@@ -1,7 +1,7 @@

 /*

  * kdc/network.c

  *

- * Copyright 1990,2000 by the Massachusetts Institute of Technology.

+ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology.

  *

  * Export of this software from the United States of America may

  *   require a specific license from the United States Government.

@@ -747,6 +747,8 @@

 	com_err(prog, retval, "while dispatching (udp)");

 	return;

     }

+    if (response == NULL)

+	return;

     cc = sendto(port_fd, response->data, (socklen_t) response->length, 0,

 		(struct sockaddr *)&saddr, saddr_len);

     if (cc == -1) {