Bug 15603 - Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual
Summary: Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.20.0rc3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
Depends on:
Reported: 2024-03-11 14:41 UTC by Stefan Metzmacher
Modified: 2024-03-11 14:41 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2024-03-11 14:41:21 UTC
It seems (at least our own) dns server echos the kerberos AP-REQ inside gssapi
and we feed that back into gss_init_sec_context().

In repl_mutual we expect _gsskrb5_decapsulate to check for a TOK_ID = KRB_AP_REP (02 00) pdu or fallback to KRB_ERROR (03 00), but for KRB_AP_REQ (01 00)
we get GSS_S_DEFECTIVE_TOKEN and ignore that an call krb5_rd_rep with
uninitialized data, which generates ASN1_MISSING_FIELD.