| Commit message (Collapse) | Author | Age |
... | |
| |
|
|
|
|
|
| |
Don't free the incoming notice if we don't know for sure there's one.
Drop the message on read error in the tty case.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
I am becoming increasingly enamored with the fall-through on error
clean-up-everything-at-the-end style of C error handling and resource
management.
Also remove some misleading/useless/wrong comments.
(also fix a problem in the tickets expired case where it was using
the wrong (possibly undefined) authenticator lengh)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per Nelson Elhage:
find_or_insert_uid sorts 'buffer' by the uid, which is a
remotely-provided field. However, in order to expire uids, it does:
while (num && (now - buffer[start % size].t) > CLOCK_SKEW)
start++, num--;
start %= size;
i.e. starts from the start of the queue and goes until it finds
something sufficiently new. Since the queue ordering is
attacker-controlled, we can send an arbitrarily-long sequence of
decreasing uids, consuming memory and forcing the client into an
ever-growing quadratic loop to insert them at the beginning.
--
Solve this by not keeping the buffer sorted; just tack the incoming
uids on the end. This way an attacker can make us keep five minutes
worth of UIDs, but only five minutes, and also anecdotally a client
under attack spends all of its CPU sort uids.
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5 actually checks in mk_req and fails if the ticks are expired,
rather than giving you an authenticator that would fail and, handing
you the session key that you'd already negotiated. This causes (meh)
sending auth to fail as opposed to just ending up unauthentic and
(poor) verifiable messages to look unauthentic or forged.
So get the session key from the ccache without checking the expiration
time, and have the cert routine skip making an authenticator if
krb5_mk_req_extended says the ticket is expired.
|
| |
|
| |
|
|
|
|
|
|
|
| |
(The time used to be set before the bounds check, so one could
potentially get an accumulation of packets in the queue without
timestamps that could never be assembled into a full notice; thanks to
nelhage@mit.edu for noticing.)
|
|
|
|
| |
(thanks to nelhage@mit.edu for noticing this)
|
| |
|
| |
|
|
|
|
| |
noticing)
|
|
|
|
| |
nelhage@mit.edu for noticing)
|
|
|
|
| |
(Thanks to nelhage@mit.edu for noticing the formatting problem)
|
|
|
|
|
|
|
|
| |
only send one sub per packet in braindump
refactor bdump_send_list_tcp and send_normal_tcp
brain dump can now cleanly receive overlarge encrypted packets
refactor subscr_send_subs and subscr_send_realm_subs
nuke trailing whitespace
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
As a precursor to loosening the dependency on ss.
(Thanks to Ken Raeburn)
|
|
|
|
|
|
|
|
|
| |
Print only the fields of ZGetDestAddr we care about checking -- the
address family and address. We can't just print the whole structure
and selectively examine fields, because we can't easily determine
whether sin_len will be present or not.
(from Ken Raeburn)
|
|
|
|
| |
(from Ken Raeburn)
|
|
|
|
|
|
|
|
| |
Initial support for examining and printing sockaddr structures on
Darwin and *BSD, where _len fields are present and the _family field
is 8 bits.
(from Ken Raeburn)
|
|
|
|
| |
(from Ken Raeburn)
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
(which coincidentally keeps us from reporting the wrong function with an
error code)
|
|
|
|
| |
Also clean up some indentation and add error logging.
|
|
|
|
| |
turns out that derived-key stuff actually worked if you were using heimdal.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In valid_utf8_p(), uc was improperly typed and never initialized. On
64-bit systems, this means that success is dependent on previous
stack contents.
If the upper 32 bits are not zero, the null terminator is not caught
and the function continues reading past the end of the string until:
1) Invalid UTF-8 is encountered
2) An invalid unicode codepoint is encountered.
3) segfault
1 and 2 are much more likely, but 3 is a danger.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
cg2v@ANDREW.CMU.EDU
|
| |
|
|
|
|
| |
also, we probably shouldn't undefine it
|
|
|
|
| |
"class_name"
|