Fix use_master handling with KDC hook reply

A post-receive KDC hook may synthesize a reply if k5_sendto() returns
an error.  If this happens, krb5_sendto_kdc() must not use server_used
to check if the reply came from a master KDC, as it does not have a
valid value.  Preemptively set *use_master to 1 in this case to bypass
the check.

ticket: 8386

diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 1e505754b2e7070fa1eec427a0575909da4a6808..d82b0cb1c9e3cd89c63d465853de748b6538c32b 100644 (file)
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -431,7 +431,7 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
                 const krb5_data *realm, krb5_data *reply_out, int *use_master,
                 int no_udp)
 {
-    krb5_error_code retval, err;
+    krb5_error_code retval, oldret, err;
     struct serverlist servers;
     int server_used;
     k5_transport_strategy strategy;
@@ -514,9 +514,16 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
     }
 
     if (context->kdc_recv_hook != NULL) {
+        oldret = retval;
         retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data,
                                         retval, realm, message, &reply,
                                         &hook_reply);
+        if (oldret && !retval) {
+            /* The hook must set a reply if it overrides an error from
+             * k5_sendto().  Treat this reply as coming from the master KDC. */
+            assert(hook_reply != NULL);
+            *use_master = 1;
+        }
     }
     if (retval)
         goto cleanup;