From 3d56ca44fc331bc6dfd0ee114b7f185d0ac55a2a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 13 Apr 2015 13:09:20 -0400 Subject: [PATCH] Fix LDAP ticket policies on big-endian LP64 krb5_ldap_get_value() takes a pointer to int, and should not be passed a pointer to any integral type which might have a different width. Use an intermediate variable for each call. The erroneous calls in ldap_misc.c were passing pointers to int32_t, which is harmless on all common platforms. The calls in ldap_tkt_policy.c were passing pointers to long; on big-endian LP64 platforms, the result would be written to the high 32 bits of the long value. (cherry picked from commit 7fbc092107298bded216fbce4cff6592275bff03) (back ported from commit 50913c7372c5c13a1270d6823f914e07ce0563ba) ticket: 8193 (new) version_fixed: 1.12.4 status: resolved --- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 16 +++++++++------- .../kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 16 ++++++++++------ 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index abefcf572d..ef2541b355 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -1725,18 +1725,20 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, } /* KRBMAXTICKETLIFE */ - if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &(entry->max_life)) == 0) + if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &val) == 0) { + entry->max_life = val; mask |= KDB_MAX_LIFE_ATTR; - + } /* KRBMAXRENEWABLEAGE */ - if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", - &(entry->max_renewable_life)) == 0) + if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &val) == 0) { + entry->max_renewable_life = val; mask |= KDB_MAX_RLIFE_ATTR; - + } /* KRBTICKETFLAGS */ - if (krb5_ldap_get_value(ld, ent, "krbticketflags", &(entry->attributes)) == 0) + if (krb5_ldap_get_value(ld, ent, "krbticketflags", &val) == 0) { + entry->attributes = val; mask |= KDB_TKT_FLAGS_ATTR; - + } /* PRINCIPAL EXPIRATION TIME */ if ((st=krb5_ldap_get_time(ld, ent, "krbprincipalexpiration", &(entry->expiration), &attr_present)) != 0) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c index 02d8e7c6e3..3a851a96d1 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c @@ -193,7 +193,7 @@ krb5_ldap_read_policy(krb5_context context, char *policyname, krb5_ldap_policy_params **policy, int *omask) { krb5_error_code st=0, tempst=0; - int objectmask=0; + int objectmask=0, val=0; LDAP *ld=NULL; LDAPMessage *result=NULL,*ent=NULL; char *attributes[] = { "krbMaxTicketLife", "krbMaxRenewableAge", "krbTicketFlags", NULL}; @@ -241,14 +241,18 @@ krb5_ldap_read_policy(krb5_context context, char *policyname, ent=ldap_first_entry(ld, result); if (ent != NULL) { - if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", (int *) &(lpolicy->maxtktlife)) == 0) + if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &val) == 0) { + lpolicy->maxtktlife = val; *omask |= LDAP_POLICY_MAXTKTLIFE; - - if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", (int *) &(lpolicy->maxrenewlife)) == 0) + } + if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &val) == 0) { + lpolicy->maxrenewlife = val; *omask |= LDAP_POLICY_MAXRENEWLIFE; - - if (krb5_ldap_get_value(ld, ent, "krbticketflags", (int *) &(lpolicy->tktflags)) == 0) + } + if (krb5_ldap_get_value(ld, ent, "krbticketflags", &val) == 0) { + lpolicy->tktflags = val; *omask |= LDAP_POLICY_TKTFLAGS; + } } lpolicy->mask = *omask; -- 2.47.2