From: Joseph Sutton Date: Thu, 9 Nov 2023 23:43:03 +0000 (+1300) Subject: third_party/heimdal: krb5: Try to decode e-data as KERB-ERROR-DATA (falling back... X-Git-Tag: talloc-2.4.2~785 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b8ffb24596452edb647d8df8b2ec608a607ebac4;p=thirdparty%2Fsamba.git third_party/heimdal: krb5: Try to decode e-data as KERB-ERROR-DATA (falling back to METHOD-DATA) (Import lorikeet-heimdal-202311092338 (commit 50996e5f0b0f22a4eb755a6f22cb7b4ecab2aeea)) Previously we tried to decode KERB-ERROR-DATA as METHOD-DATA, resulting in a confusing error message. Now we just ignore it; but we could also choose to set an error message containing the NTSTATUS code in hexadecimal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15514 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Nov 10 01:35:32 UTC 2023 on atb-devel-224 --- diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c index 6e48846bcb3..ff06325912b 100644 --- a/third_party/heimdal/lib/krb5/get_cred.c +++ b/third_party/heimdal/lib/krb5/get_cred.c @@ -719,13 +719,31 @@ get_cred_kdc(krb5_context context, memset(&md, 0, sizeof(md)); if (rep.error.e_data) { - ret = decode_METHOD_DATA(rep.error.e_data->data, - rep.error.e_data->length, - &md, NULL); + KERB_ERROR_DATA kerb_error_data; + + memset(&kerb_error_data, 0, sizeof(kerb_error_data)); + + /* First try to decode the e-data as KERB-ERROR-DATA. */ + ret = decode_KERB_ERROR_DATA(rep.error.e_data->data, + rep.error.e_data->length, + &kerb_error_data, + &len); if (ret) { - krb5_set_error_message(context, ret, - N_("Failed to decode METHOD-DATA", "")); - goto out; + /* That failed, so try to decode it as METHOD-DATA. */ + ret = decode_METHOD_DATA(rep.error.e_data->data, + rep.error.e_data->length, + &md, NULL); + if (ret) { + krb5_set_error_message(context, ret, + N_("Failed to decode METHOD-DATA", "")); + goto out; + } + } else if (len != rep.error.e_data->length) { + /* Trailing data — just ignore the error. */ + free_KERB_ERROR_DATA(&kerb_error_data); + } else { + /* OK. */ + free_KERB_ERROR_DATA(&kerb_error_data); } } diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c index 2c026ad29f2..8b6db0be594 100644 --- a/third_party/heimdal/lib/krb5/init_creds_pw.c +++ b/third_party/heimdal/lib/krb5/init_creds_pw.c @@ -3146,19 +3146,36 @@ init_creds_step(krb5_context context, memset(&ctx->md, 0, sizeof(ctx->md)); if (ctx->error.e_data) { + KERB_ERROR_DATA kerb_error_data; krb5_error_code ret2; - ret2 = decode_METHOD_DATA(ctx->error.e_data->data, - ctx->error.e_data->length, - &ctx->md, - NULL); + memset(&kerb_error_data, 0, sizeof(kerb_error_data)); + + /* First try to decode the e-data as KERB-ERROR-DATA. */ + ret2 = decode_KERB_ERROR_DATA(ctx->error.e_data->data, + ctx->error.e_data->length, + &kerb_error_data, + &len); if (ret2) { - /* - * Just ignore any error, the error will be pushed - * out from krb5_error_from_rd_error() if there - * was one. - */ - _krb5_debug(context, 5, N_("Failed to decode METHOD-DATA", "")); + /* That failed, so try to decode it as METHOD-DATA. */ + ret2 = decode_METHOD_DATA(ctx->error.e_data->data, + ctx->error.e_data->length, + &ctx->md, + NULL); + if (ret2) { + /* + * Just ignore any error, the error will be pushed + * out from krb5_error_from_rd_error() if there + * was one. + */ + _krb5_debug(context, 5, N_("Failed to decode METHOD-DATA", "")); + } + } else if (len != ctx->error.e_data->length) { + /* Trailing data — just ignore the error. */ + free_KERB_ERROR_DATA(&kerb_error_data); + } else { + /* OK. */ + free_KERB_ERROR_DATA(&kerb_error_data); } }