Fix GSS krb5 initial sequence number gap handling

Since #2040, the dummy queue element inserted by g_order_init no
longer compares less than the initial sequence number, so we fail when
the first few sequence numbers are received out of order.  Properly
detect when a sequence number fits between the dummy element and the
first real queue element.

[ghudson@mit.edu: rewrote commit message]

(cherry picked from commit 13a9cb721194c8aa4ccf6ed6ef23e3ac8dd24037)

ticket: 7872
version_fixed: 1.12.2
status: resolved

diff --git a/src/lib/gssapi/generic/util_ordering.c b/src/lib/gssapi/generic/util_ordering.c
index 95609a992b0f5d04140793af5ce8c923c4edc7a5..56cd84a6a693d83ed0080eefd223d6c3568f148e 100644 (file)
--- a/src/lib/gssapi/generic/util_ordering.c
+++ b/src/lib/gssapi/generic/util_ordering.c
@@ -195,6 +195,21 @@ g_order_check(void **vqueue, gssint_uint64 seqnum)
                     return(GSS_S_UNSEQ_TOKEN);
             }
         }
+        /*
+         * Exception: if first token arrived out-of-order.
+         * In that case first two elements in queue are 0xFFFFFFFF and some k,
+         * where k > seqnum. We need to insert seqnum before k.
+         * We check this after the for-loop, because this should be rare.
+         */
+        if ((QELEM(q, q->start) == (((uint64_t)0 - 1) & q->mask)) &&
+            ((QELEM(q, q->start + 1) > seqnum))) {
+                queue_insert(q, q->start, seqnum);
+                if (q->do_replay && !q->do_sequence)
+                    return(GSS_S_COMPLETE);
+                else
+                    return(GSS_S_UNSEQ_TOKEN);
+
+        }
     }
 
     /* this should never happen */