From: Matt Rogers Date: Fri, 13 May 2016 00:36:41 +0000 (-0400) Subject: Fail on error when processing KDC-issued authdata X-Git-Tag: krb5-1.15-beta1~170 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19eee5ffaca1cc5f2c8696188e524240e33af777;p=thirdparty%2Fkrb5.git Fail on error when processing KDC-issued authdata Have k5_get_kdc_issued_authdata() return 0 on a verification failure and non-zero for other failures, rather than call assert(). Check the return value when called in krb5int_authdata_verify(). ticket: 8425 --- diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index 047128a00d..91261b8059 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -499,6 +499,7 @@ krb5_authdata_import_attributes(krb5_context kcontext, return k5_ad_internalize(kcontext, context, usage, &bp, &remain); } +/* Return 0 with *kdc_issued_authdata == NULL on verification failure. */ static krb5_error_code k5_get_kdc_issued_authdata(krb5_context kcontext, const krb5_ap_req *ap_req, @@ -530,7 +531,10 @@ k5_get_kdc_issued_authdata(krb5_context kcontext, kdc_issuer, kdc_issued_authdata); - assert(code == 0 || *kdc_issued_authdata == NULL); + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY || + code == KRB5KRB_AP_ERR_INAPP_CKSUM || + code == KRB5_BAD_ENCTYPE || code == KRB5_BAD_MSIZE) + code = 0; krb5_free_authdata(kcontext, authdata); @@ -621,8 +625,11 @@ krb5int_authdata_verify(krb5_context kcontext, authen_authdata = (*auth_context)->authentp->authorization_data; ticket_authdata = ap_req->ticket->enc_part2->authorization_data; - k5_get_kdc_issued_authdata(kcontext, ap_req, - &kdc_issuer, &kdc_issued_authdata); + + code = k5_get_kdc_issued_authdata(kcontext, ap_req, &kdc_issuer, + &kdc_issued_authdata); + if (code) + goto cleanup; code = get_cammac_authdata(kcontext, ap_req, key, &cammac_authdata); if (code)