Bug 326 - Bug in AFS token forwarding
Summary: Bug in AFS token forwarding
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: -current
Hardware: ix86 Linux
: P4 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-07-01 06:36 AEST by Alf Wachsmann
Modified: 2004-04-14 12:24 AEST (History)
0 users

See Also:

Attachments
Proposed fix for AFS token forwarding problem (730 bytes, patch)
2003-05-17 02:09 AEST, Alf Wachsmann 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alf Wachsmann 2002-07-01 06:36:42 AEST 
There is a bug in the code for getting AFS tokens in function
send_afs_tokens() in sshconnect1.c

Here is how the bug manifests itself:
If I have an AFS token that is still valid _and_ one that was valid but
is now expired then AFS token forwarding ignores both tokens instead
of forwarding the still valid one.

I can reproduce this problem on Red Hat Linux 7.2 systems with
OpenSSH-3.4p1 (and probably all older versions) compiled with
KTH-Krb4-1.1.1 (this is where the k_pioctl() function comes from; see
below). I am using OpenAFS-1.2.5. The same happens on Solaris 8
(OpenSSH-3.4p1, KTH-Krb4-1.1.1, IBM/Transarc ASF).

Here is the cause for the bug:
The problem is that k_pioctl() returns -1 and "errno" returns an error
code ENOTCONN for _all_ tokens it finds if there is an expired token present.
The loop has to continue in this case although the _data_ returned
by k_pioctl() is invalid. This invalidness can be checked by comparing
the length of the "ClearToken" component with the size of the ClearToken
struct. In OpenSSH-3.4p1 this condition is checked in sshconnect1.c line
814. But it is wrong to "break" out of the loop because of this condition.
Jumping to the next token is the correct behavior.
"errno" returns "EDOM" if all tokens are listed.

Here is a patch that fixes this bug:
--- sshconnect1.c.orig  Fri Jun 28 13:25:51 2002
+++ sshconnect1.c       Fri Jun 28 13:23:56 2002
@@ -797,7 +797,8 @@
                parms.in_size = sizeof(i);
                parms.out = buf;
                parms.out_size = sizeof(buf);
-               if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
+                k_pioctl(0, VIOCGETTOK, &parms, 0);
+               if(errno == EDOM)
                        break;
                p = buf;
 
@@ -811,8 +812,7 @@
 
                /* Get clear token. */
                memcpy(&len, p, sizeof(len));
-               if (len != sizeof(struct ClearToken))
-                       break;
+                if (len == sizeof(struct ClearToken)) {
                p += sizeof(len);
                memcpy(&ct, p, len);
                p += len;
@@ -848,6 +848,7 @@
                        debug("AFS token for cell %s rejected.", server_cell);
                else if (type != SSH_SMSG_SUCCESS)
                        packet_disconnect("Protocol error on AFS tokenresponse:
%d", type);
+                }

        }
 }
Comment 1 Damien Miller 2003-05-16 13:31:53 AEST 
Please attach your patch to the bug, rather than pasting it. Pasting patches
corrupts them.
Comment 2 Alf Wachsmann 2003-05-17 02:09:37 AEST 
Created attachment 305 [details]
Proposed fix for AFS token forwarding problem

I did not adapt indentation to keep the patch short.
Comment 3 Darren Tucker 2003-08-26 17:48:52 AEST 
AFS support has been dropped, should this be closed?
Comment 4 Alf Wachsmann 2003-08-27 01:42:04 AEST 
Looking at the latest version openssh-3.6.1p2, I still see AFS support in
sshconnect1.c.

As long as this code is there, the reported bug is there and should be fixed.

-- Alf.
Comment 5 Markus Friedl 2003-08-27 02:50:48 AEST 
AFS support for protocol 1 has been dropped.
Comment 6 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED