Err codes in KRB_ERROR protocol messages are < 128

If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see  krb5_err.et

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index f84fbd83597be1ca92d8c73bb3af8dfc31a05959..d5814d9bb0307ca1ace0d91de6c891539498ecec 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -381,6 +381,7 @@ typedef INT64_TYPE krb5_int64;
                                                       not find a KDC */
 #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE       86 /* The KDC did not respond
                                                       to the IAKERB proxy */
+#define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
 
 /*
  * A null-terminated array of this structure is returned by the KDC as

diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index 7f455d8640fe443660abaa4dd1897da27222e4e0..4a91159e4f6e20fcfe9b3a8a293b5d186b59d29b 100644 (file)
--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
@@ -365,7 +365,7 @@ chpwfail:
            to mk_error do. */
         krberror.error = ret;
         krberror.error -= ERROR_TABLE_BASE_krb5;
-        if (krberror.error < 0 || krberror.error > 128)
+        if (krberror.error < 0 || krberror.error > KRB_ERR_MAX)
             krberror.error = KRB_ERR_GENERIC;
 
         krberror.client = NULL;

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 11ba5a283d994e97a6512705a1203d4266a2000f..8790ec4032b80023a19601b780e222e2b64ad136 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -351,7 +351,7 @@ egress:
         }
         if (errcode != KRB5KDC_ERR_DISCARD) {
             errcode -= ERROR_TABLE_BASE_krb5;
-            if (errcode < 0 || errcode > 128)
+            if (errcode < 0 || errcode > KRB_ERR_MAX)
                 errcode = KRB_ERR_GENERIC;
 
             errcode = prepare_error_as(state->rstate, state->request,

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index f047dd8f6ddd7c572501d910580be8c517755c8a..ae5e7572ea330ee8e74959a2ea31d18e6924b7cd 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -776,7 +776,7 @@ cleanup:
             got_err = 1;
         }
         errcode -= ERROR_TABLE_BASE_krb5;
-        if (errcode < 0 || errcode > 128)
+        if (errcode < 0 || errcode > KRB_ERR_MAX)
             errcode = KRB_ERR_GENERIC;
 
         retval = prepare_error_tgs(state, request, header_ticket, errcode,

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 82bd013c32f6a8f418a156a236a252c05b5d8585..9f9b6c67995c563bb8d73cb7a4405186b9c58db8 100644 (file)
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -1233,7 +1233,7 @@ fail:
         memset(&krb_error_data, 0, sizeof(krb_error_data));
 
         code -= ERROR_TABLE_BASE_krb5;
-        if (code < 0 || code > 128)
+        if (code < 0 || code > KRB_ERR_MAX)
             code = 60 /* KRB_ERR_GENERIC */;
 
         krb_error_data.error = code;