From: Zhanna Tsitkov <tsitkova@mit.edu>
Date: Thu, 19 Sep 2013 17:11:15 +0000 (-0400)
Subject: Err codes in KRB_ERROR protocol messages are < 128
X-Git-Tag: krb5-1.12-alpha1~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58ea3bdbfe6330225a2d58dfb00ccf1ad70617fe;p=thirdparty%2Fkrb5.git

Err codes in KRB_ERROR protocol messages are < 128

If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see  krb5_err.et
---

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index f84fbd8359..d5814d9bb0 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -381,6 +381,7 @@ typedef INT64_TYPE krb5_int64;
                                                       not find a KDC */
 #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE       86 /* The KDC did not respond
                                                       to the IAKERB proxy */
+#define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
 
 /*
  * A null-terminated array of this structure is returned by the KDC as
diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index 7f455d8640..4a91159e4f 100644
--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
@@ -365,7 +365,7 @@ chpwfail:
            to mk_error do. */
         krberror.error = ret;
         krberror.error -= ERROR_TABLE_BASE_krb5;
-        if (krberror.error < 0 || krberror.error > 128)
+        if (krberror.error < 0 || krberror.error > KRB_ERR_MAX)
             krberror.error = KRB_ERR_GENERIC;
 
         krberror.client = NULL;
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 11ba5a283d..8790ec4032 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -351,7 +351,7 @@ egress:
         }
         if (errcode != KRB5KDC_ERR_DISCARD) {
             errcode -= ERROR_TABLE_BASE_krb5;
-            if (errcode < 0 || errcode > 128)
+            if (errcode < 0 || errcode > KRB_ERR_MAX)
                 errcode = KRB_ERR_GENERIC;
 
             errcode = prepare_error_as(state->rstate, state->request,
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index f047dd8f6d..ae5e7572ea 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -776,7 +776,7 @@ cleanup:
             got_err = 1;
         }
         errcode -= ERROR_TABLE_BASE_krb5;
-        if (errcode < 0 || errcode > 128)
+        if (errcode < 0 || errcode > KRB_ERR_MAX)
             errcode = KRB_ERR_GENERIC;
 
         retval = prepare_error_tgs(state, request, header_ticket, errcode,
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 82bd013c32..9f9b6c6799 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -1233,7 +1233,7 @@ fail:
         memset(&krb_error_data, 0, sizeof(krb_error_data));
 
         code -= ERROR_TABLE_BASE_krb5;
-        if (code < 0 || code > 128)
+        if (code < 0 || code > KRB_ERR_MAX)
             code = 60 /* KRB_ERR_GENERIC */;
 
         krb_error_data.error = code;