From a2f047af0400ba8080dc26033fae2b17534501e2 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 30 Mar 2020 15:26:02 -0400 Subject: [PATCH] Correctly import "service@" GSS host-based name The intended way to specify only a service in a GSS host-based name is to omit the "@" separator. Some applications include the separator but no hostname, and this happened to yield wildcard hostname behavior prior to commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c when shortname qualification was added. To restore this behavior, check in parse_hostbased() that at least one character is present after the "@" separator before copying the hostname. Add a test case to t_gssapi.py. ticket: 8892 tags: pullup target_version: 1.18-next --- src/lib/gssapi/krb5/import_name.c | 4 ++-- src/tests/gssapi/t_gssapi.py | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index da2ab14232..21023dd769 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -102,8 +102,8 @@ parse_hostbased(const char *str, size_t len, memcpy(service, str, servicelen); service[servicelen] = '\0'; - /* If present, copy the hostname. */ - if (at != NULL) { + /* Copy the hostname if present (at least one character after '@'). */ + if (len - servicelen > 1) { hostlen = len - servicelen - 1; host = malloc(hostlen + 1); if (host == NULL) { diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index 54d5cf5492..ecf982604a 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -47,6 +47,9 @@ realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'], expected_msg='service2/calvin') realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1, expected_msg=' found in keytab but does not match server principal') +# Regression test for #8892 (trailing @ in name). +realm.run(['./t_accname', 'p:service1/andrew', 'h:service1@'], + expected_msg='service1/abraham') # Test with acceptor name containing service and host. Use the # client's un-canonicalized hostname as acceptor input to mirror what -- 2.47.2