[sssd/f20] Handle OTP response from FreeIPA server gracefully
Jakub Hrozek
jhrozek at fedoraproject.org
Tue Feb 11 14:54:48 UTC 2014
commit f706d1401ae68eb2af79650435623b1e9d466390
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Feb 11 15:44:57 2014 +0100
Handle OTP response from FreeIPA server gracefully
...arsing-krb5_child-response-make-sure-to-n.patch | 46 ++++++++++++++++++++
sssd.spec | 6 ++-
2 files changed, 51 insertions(+), 1 deletions(-)
---
diff --git a/0001-FAST-when-parsing-krb5_child-response-make-sure-to-n.patch b/0001-FAST-when-parsing-krb5_child-response-make-sure-to-n.patch
new file mode 100644
index 0000000..2fc86ab
--- /dev/null
+++ b/0001-FAST-when-parsing-krb5_child-response-make-sure-to-n.patch
@@ -0,0 +1,46 @@
+From 153efc74ff188c12c03e9578c6fb1d39c69ef5d7 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab at samba.org>
+Date: Tue, 24 Dec 2013 13:01:46 +0200
+Subject: [PATCH] FAST: when parsing krb5_child response, make sure to not miss
+ OTP message if it was last one
+
+The last message in the stream might be with empty payload which means we get
+only message type and message length (0) returned, i.e. 8 bytes left remaining
+in the stream after processing preceding message. This makes our calculation at
+the end of a message processing loop incorrect -- p+2*sizeof(int32_t) can be
+equal to len, after all.
+
+Fixes FAST processing for FreeIPA native OTP case:
+https://fedorahosted.org/sssd/ticket/2186
+---
+ src/providers/krb5/krb5_child_handler.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
+index 92dec0d2afb1627b61c3dd1037e91546a7ee08d6..d6c1dc1f9707444a82e433a375839cadf73f1259 100644
+--- a/src/providers/krb5/krb5_child_handler.c
++++ b/src/providers/krb5/krb5_child_handler.c
+@@ -548,8 +548,9 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len,
+ * CCACHE_ENV_NAME"=". pref_len also counts the trailing '=' because
+ * sizeof() counts the trailing '\0' of a string. */
+ pref_len = sizeof(CCACHE_ENV_NAME);
+- if (msg_len > pref_len &&
+- strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0) {
++ if ((msg_type == SSS_PAM_ENV_ITEM) &&
++ (msg_len > pref_len) &&
++ (strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0)) {
+ ccname = (char *) &buf[p+pref_len];
+ ccname_len = msg_len-pref_len;
+ }
+@@ -600,7 +601,7 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len,
+
+ p += msg_len;
+
+- if ((p < len) && (p + 2*sizeof(int32_t) >= len)) {
++ if ((p < len) && (p + 2*sizeof(int32_t) > len)) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("The remainder of the message is too short.\n"));
+ return EINVAL;
+--
+1.8.5.3
+
diff --git a/sssd.spec b/sssd.spec
index 90289d5..c7259f8 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -14,7 +14,7 @@
Name: sssd
Version: 1.11.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -23,6 +23,7 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
+Patch0001: 0001-FAST-when-parsing-krb5_child-response-make-sure-to-n.patch
Patch0602: 0602-FEDORA-Add-CIFS-idmap-plugin.patch
### Dependencies ###
@@ -730,6 +731,9 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
+* Tue Feb 11 2014 Jakub Hrozek <jhrozek at redhat.com> - 1.11.3-2
+- Handle OTP response from FreeIPA server gracefully
+
* Wed Oct 30 2013 Jakub Hrozek <jhrozek at redhat.com> - 1.11.3-1
- New upstream release 1.11.3
- Remove upstreamed patches
More information about the scm-commits
mailing list