From: Greg Hudson Date: Mon, 30 Mar 2020 19:26:02 +0000 (-0400) Subject: Correctly import "service@" GSS host-based name X-Git-Tag: krb5-1.19-beta1~96 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2f047af0400ba8080dc26033fae2b17534501e2;p=thirdparty%2Fkrb5.git Correctly import "service@" GSS host-based name The intended way to specify only a service in a GSS host-based name is to omit the "@" separator. Some applications include the separator but no hostname, and this happened to yield wildcard hostname behavior prior to commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c when shortname qualification was added. To restore this behavior, check in parse_hostbased() that at least one character is present after the "@" separator before copying the hostname. Add a test case to t_gssapi.py. ticket: 8892 tags: pullup target_version: 1.18-next --- diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index da2ab14232..21023dd769 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -102,8 +102,8 @@ parse_hostbased(const char *str, size_t len, memcpy(service, str, servicelen); service[servicelen] = '\0'; - /* If present, copy the hostname. */ - if (at != NULL) { + /* Copy the hostname if present (at least one character after '@'). */ + if (len - servicelen > 1) { hostlen = len - servicelen - 1; host = malloc(hostlen + 1); if (host == NULL) { diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index 54d5cf5492..ecf982604a 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -47,6 +47,9 @@ realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'], expected_msg='service2/calvin') realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1, expected_msg=' found in keytab but does not match server principal') +# Regression test for #8892 (trailing @ in name). +realm.run(['./t_accname', 'p:service1/andrew', 'h:service1@'], + expected_msg='service1/abraham') # Test with acceptor name containing service and host. Use the # client's un-canonicalized hostname as acceptor input to mirror what