SHA256
1
0
forked from pool/krb5
krb5/krb5-1.10-kpasswd_tcp.patch
Michael Calmer 84f939323f - update to version 1.10.2
obsolte patches:
  * krb5-1.7-nodeplibs.patch
  * krb5-1.9.1-ai_addrconfig.patch
  * krb5-1.9.1-ai_addrconfig2.patch
  * krb5-1.9.1-sendto_poll.patch
  * krb5-1.9-canonicalize-fallback.patch
  * krb5-1.9-paren.patch
  * krb5-klist_s.patch
  * krb5-pkinit-cms2.patch
  * krb5-trunk-chpw-err.patch
  * krb5-trunk-gss_delete_sec.patch
  * krb5-trunk-kadmin-oldproto.patch
  * krb5-1.9-MITKRB5-SA-2011-006.dif
  * krb5-1.9-gss_display_status-iakerb.patch
  * krb5-1.9.1-sendto_poll2.patch
  * krb5-1.9.1-sendto_poll3.patch
  * krb5-1.9-MITKRB5-SA-2011-007.dif
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
  Controllers.
- Update a workaround for a glibc bug that would cause DNS PTR queries
  to occur even when rdns = false.
- Fix a kadmind denial of service issue (null pointer dereference),
  which could only be triggered by an administrator with the "create"
  privilege.  [CVE-2012-1013]
- Fix access controls for KDB string attributes [CVE-2012-1012]
- Make the ASN.1 encoding of key version numbers interoperate with
  Windows Read-Only Domain Controllers
- Avoid generating spurious password expiry warnings in cases where
  the KDC sends an account expiry time without a password expiry time

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=65
2012-06-06 14:55:51 +00:00

35 lines
1.4 KiB
Diff

Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
Index: krb5-1.10.2/src/lib/krb5/os/changepw.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/os/changepw.c
+++ krb5-1.10.2/src/lib/krb5/os/changepw.c
@@ -274,10 +274,22 @@ change_set_password(krb5_context context
&callback_info, &chpw_rep, ss2sa(&remote_addr),
&addrlen, NULL, NULL, NULL);
if (code) {
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!use_tcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ k5_free_serverlist (&sl);
+ use_tcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}