15603 – Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual

Bug 15603 - Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual

Summary: Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	4.20.0rc3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-03-11 14:41 UTC by Stefan Metzmacher
Modified:	2024-08-02 12:14 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2024-03-11 14:41:21 UTC

It seems (at least our own) dns server echos the kerberos AP-REQ inside gssapi
and we feed that back into gss_init_sec_context().

In repl_mutual we expect _gsskrb5_decapsulate to check for a TOK_ID = KRB_AP_REP (02 00) pdu or fallback to KRB_ERROR (03 00), but for KRB_AP_REQ (01 00)
we get GSS_S_DEFECTIVE_TOKEN and ignore that an call krb5_rd_rep with
uninitialized data, which generates ASN1_MISSING_FIELD.

Comment 1 Samba QA Contact 2024-04-24 01:00:05 UTC

This bug was referenced in samba master:

9b92cbacac11fb64cca2c4770cbdce789525b87a

Comment 2 Samba QA Contact 2024-07-09 10:54:12 UTC

This bug was referenced in samba v4-20-test:

c86e8742373cfa022419de40427dba45239d0ae4

Comment 3 Samba QA Contact 2024-08-02 12:14:05 UTC

This bug was referenced in samba v4-20-stable (Release samba-4.20.3):

c86e8742373cfa022419de40427dba45239d0ae4