From: Greg Hudson Date: Thu, 9 Jun 2016 17:23:48 +0000 (-0400) Subject: Fix use_master handling with KDC hook reply X-Git-Tag: krb5-1.15-beta1~176 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=603a14f9eb8a81556502fcdc5fac65f0d4f323dc;p=thirdparty%2Fkrb5.git Fix use_master handling with KDC hook reply A post-receive KDC hook may synthesize a reply if k5_sendto() returns an error. If this happens, krb5_sendto_kdc() must not use server_used to check if the reply came from a master KDC, as it does not have a valid value. Preemptively set *use_master to 1 in this case to bypass the check. ticket: 8386 --- diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c index 1e505754b2..d82b0cb1c9 100644 --- a/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c @@ -431,7 +431,7 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, const krb5_data *realm, krb5_data *reply_out, int *use_master, int no_udp) { - krb5_error_code retval, err; + krb5_error_code retval, oldret, err; struct serverlist servers; int server_used; k5_transport_strategy strategy; @@ -514,9 +514,16 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, } if (context->kdc_recv_hook != NULL) { + oldret = retval; retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data, retval, realm, message, &reply, &hook_reply); + if (oldret && !retval) { + /* The hook must set a reply if it overrides an error from + * k5_sendto(). Treat this reply as coming from the master KDC. */ + assert(hook_reply != NULL); + *use_master = 1; + } } if (retval) goto cleanup;