Pullup ticket #2417 - requested by tonnerre

Security patches for mit-krb5 Revisions pulled up: - security/mit-krb5/Makefile 1.43 - security/mit-krb5/distinfo 1.20 - security/mit-krb5/patches/patch-at 1.2 - security/mit-krb5/patches/patch-bh 1.1 - security/mit-krb5/patches/patch-bi 1.1 - security/mit-krb5/patches/patch-bj 1.1 - security/mit-krb5/patches/patch-bk 1.1 - security/mit-krb5/patches/patch-bl 1.1 --- Module Name: pkgsrc Committed By: tonnerre Date: Sat Jun 7 23:58:11 UTC 2008 Modified Files: pkgsrc/security/mit-krb5: Makefile distinfo pkgsrc/security/mit-krb5/patches: patch-at Added Files: pkgsrc/security/mit-krb5/patches: patch-bh patch-bi patch-bj patch-bk patch-bl Log Message: Add more patches, now for MITKRB5-SA-2007-006, MITKRB5-SA-2008-001 and MITKRB5-SA-2008-002. Bump PKGREVISION now finally.
author: tron <tron@pkgsrc.org> 2008-06-08 12:00:23 +0000
committer: tron <tron@pkgsrc.org> 2008-06-08 12:00:23 +0000
commit: 7f3e82e0b7352e4d2ac636237350d2d5f07f57da (patch)
tree: 53098c6ef16b33675ee4aea32a384235759ae71b
parent: 5ec13cc79c1d1755fdb60b7215123b6aa57ceffb (diff)
download: pkgsrc-7f3e82e0b7352e4d2ac636237350d2d5f07f57da.tar.gz
8 files changed, 421 insertions, 10 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index c564a9d13be..b6ede0598fc 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.41.8.1 2008/06/08 11:47:13 tron Exp $
+# $NetBSD: Makefile,v 1.41.8.2 2008/06/08 12:00:23 tron Exp $
 
 DISTNAME=	krb5-1.4.2
 PKGNAME=	mit-${DISTNAME:S/-signed$//}
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/1.4/
 DISTFILES=	${DISTNAME}-signed${EXTRACT_SUFX}
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index d45955e6351..4c11c248353 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16.10.1 2008/06/08 11:47:13 tron Exp $
+$NetBSD: distinfo,v 1.16.10.2 2008/06/08 12:00:23 tron Exp $
 
 SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88
 RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f
@@ -22,7 +22,7 @@ SHA1 (patch-ap) = c77a8f7bc35aa184e510bac576c12f55d5cfbf65
 SHA1 (patch-aq) = 52429b712ca7a478caeb76fd165585c7aab7fa02
 SHA1 (patch-ar) = 37807c14f03533aef8796ac90e5fac36ff98308a
 SHA1 (patch-as) = b155219fd512b59f698497af1bf6acf1ca4f4a34
-SHA1 (patch-at) = df0605b0f5fbaef6b7540f87079ae64b2acc464c
+SHA1 (patch-at) = f5837580b496c454a35a3d8b955e5209074c267d
 SHA1 (patch-au) = 238f497afd9ad129babc0b6c727eb23e9915536c
 SHA1 (patch-av) = db0fce68f58307be4c359758f2c9b31d62ab8348
 SHA1 (patch-aw) = 0e651b675d166e71f6543cbad8e29eece89d5b67
@@ -36,3 +36,8 @@ SHA1 (patch-bd) = 8cf0425d2fedea452f80fa599f3c4515e51d834c
 SHA1 (patch-be) = c4497d7b68cefd8109d615c2125d9dc7aa508e5d
 SHA1 (patch-bf) = 1e16b6cbe51a5aa07ac7c7c3c343e82bf16dcde6
 SHA1 (patch-bg) = fa70e00a2eb283782c9960a2c74a879862b979c5
+SHA1 (patch-bh) = 761ca395732d3f3eac0bc1fdbec0ad65aeea8df0
+SHA1 (patch-bi) = ab91152460485ede492573ce379461e892196647
+SHA1 (patch-bj) = d0deae92b8b4d9ad671c98ccb3debd7a4216f646
+SHA1 (patch-bk) = 9bf37086a4e7661e8aacc2736d21f61db154263e
+SHA1 (patch-bl) = d1239c8c8279680a97f7c555907ac1b4ccfca6b4
diff --git a/security/mit-krb5/patches/patch-at b/security/mit-krb5/patches/patch-at
index 02e741fbcc8..316c6bd7534 100644
--- a/security/mit-krb5/patches/patch-at
+++ b/security/mit-krb5/patches/patch-at
@@ -1,10 +1,28 @@
-$NetBSD: patch-at,v 1.1 2007/01/17 23:43:47 salo Exp $
-
-Security fix for CVE-2006-6143.
+$NetBSD: patch-at,v 1.1.12.1 2008/06/08 12:00:23 tron Exp $
 
 --- lib/rpc/svc.c.orig	2004-09-21 20:20:15.000000000 +0200
-+++ lib/rpc/svc.c	2007-01-17 21:58:10.000000000 +0100
-@@ -436,6 +436,8 @@ svc_getreqset(FDSET_TYPE *readfds)
++++ lib/rpc/svc.c
+@@ -108,15 +108,17 @@ xprt_register(SVCXPRT *xprt)
+ 	if (sock < FD_SETSIZE) {
+ 		xports[sock] = xprt;
+ 		FD_SET(sock, &svc_fdset);
++		if (sock > svc_maxfd)
++			svc_maxfd = sock;
+ 	}
+ #else
+ 	if (sock < NOFILE) {
+ 		xports[sock] = xprt;
+ 		svc_fds |= (1 << sock);
++		if (sock > svc_maxfd)
++			svc_maxfd = sock;
+ 	}
+ #endif /* def FD_SETSIZE */
+-	if (sock > svc_maxfd)
+-		svc_maxfd = sock;
+ }
+ 
+ /*
+@@ -436,6 +438,8 @@ svc_getreqset(FDSET_TYPE *readfds)
  #endif
  }
  
@@ -13,7 +31,7 @@ Security fix for CVE-2006-6143.
  static void
  svc_do_xprt(SVCXPRT *xprt)
  {
-@@ -517,6 +519,9 @@ svc_do_xprt(SVCXPRT *xprt)
+@@ -517,6 +521,9 @@ svc_do_xprt(SVCXPRT *xprt)
  		if ((stat = SVC_STAT(xprt)) == XPRT_DIED){
  			SVC_DESTROY(xprt);
  			break;
diff --git a/security/mit-krb5/patches/patch-bh b/security/mit-krb5/patches/patch-bh
new file mode 100644
index 00000000000..15ca1b0c086
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bh
@@ -0,0 +1,28 @@
+$NetBSD: patch-bh,v 1.1.2.2 2008/06/08 12:00:23 tron Exp $
+
+--- lib/rpc/svc_auth_gss.c.orig	2004-09-17 23:52:11.000000000 +0200
++++ lib/rpc/svc_auth_gss.c
+@@ -355,6 +355,15 @@ svcauth_gss_validate(struct svc_req *rqs
+ 	memset(rpchdr, 0, sizeof(rpchdr));
+ 
+ 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
++	oa = &msg->rm_call.cb_cred;
++	if (oa->oa_length > MAX_AUTH_BYTES)
++		return (FALSE);
++
++	/* 8 XDR units from the IXDR macro calls. */
++	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
++			      RNDUP(oa->oa_length)))
++		return (FALSE);
++
+ 	buf = (int32_t *)(void *)rpchdr;
+ 	IXDR_PUT_LONG(buf, msg->rm_xid);
+ 	IXDR_PUT_ENUM(buf, msg->rm_direction);
+@@ -362,7 +371,6 @@ svcauth_gss_validate(struct svc_req *rqs
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
+-	oa = &msg->rm_call.cb_cred;
+ 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
+ 	IXDR_PUT_LONG(buf, oa->oa_length);
+ 	if (oa->oa_length) {
diff --git a/security/mit-krb5/patches/patch-bi b/security/mit-krb5/patches/patch-bi
new file mode 100644
index 00000000000..7c3729f2735
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bi
@@ -0,0 +1,51 @@
+$NetBSD: patch-bi,v 1.1.2.2 2008/06/08 12:00:23 tron Exp $
+
+--- lib/rpc/svc_tcp.c.orig	2004-09-21 20:20:16.000000000 +0200
++++ lib/rpc/svc_tcp.c
+@@ -52,6 +52,14 @@ static char sccsid[] = "@(#)svc_tcp.c 1.
+ extern errno;
+ */
+ 
++#ifndef FD_SETSIZE
++#ifdef NBBY
++#define NOFILE (sizeof(int) * NBBY)
++#else
++#define NOFILE (sizeof(int) * 8)
++#endif
++#endif
++
+ /*
+  * Ops vector for TCP/IP based rpc service handle
+  */
+@@ -211,6 +219,20 @@ makefd_xprt(
+ {
+ 	register SVCXPRT *xprt;
+ 	register struct tcp_conn *cd;
++
++#ifdef FD_SETSIZE
++	if (fd >= FD_SETSIZE) {
++		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
++		xprt = NULL;
++		goto done;
++	}
++#else
++	if (fd >= NOFILE) {
++		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
++		xprt = NULL;
++		goto done;
++	}
++#endif
+  
+ 	xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT));
+ 	if (xprt == (SVCXPRT *)NULL) {
+@@ -267,6 +289,10 @@ rendezvous_request(
+ 	 * make a new transporter (re-uses xprt)
+ 	 */
+ 	xprt = makefd_xprt(sock, r->sendsize, r->recvsize);
++	if (xprt == NULL) {
++		close(sock);
++		return (FALSE);
++	}
+ 	xprt->xp_raddr = addr;
+ 	xprt->xp_addrlen = len;
+ 	xprt->xp_laddr = laddr;
diff --git a/security/mit-krb5/patches/patch-bj b/security/mit-krb5/patches/patch-bj
new file mode 100644
index 00000000000..005371656cf
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bj
@@ -0,0 +1,13 @@
+$NetBSD: patch-bj,v 1.1.2.2 2008/06/08 12:00:23 tron Exp $
+
+--- kdc/dispatch.c.orig	2002-09-11 05:59:26.000000000 +0200
++++ kdc/dispatch.c
+@@ -108,7 +108,7 @@ dispatch(krb5_data *pkt, const krb5_full
+ 	retval = KRB5KRB_AP_ERR_MSG_TYPE;
+ #ifndef NOCACHE
+     /* put the response into the lookaside buffer */
+-    if (!retval)
++    if (!retval && *response != NULL)
+ 	kdc_insert_lookaside(pkt, from, *response);
+ #endif
+ 
diff --git a/security/mit-krb5/patches/patch-bk b/security/mit-krb5/patches/patch-bk
new file mode 100644
index 00000000000..85c6fcfa94e
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bk
@@ -0,0 +1,283 @@
+$NetBSD: patch-bk,v 1.1.2.2 2008/06/08 12:00:23 tron Exp $
+
+--- kdc/kerberos_v4.c.orig	2004-07-24 02:40:18.000000000 +0200
++++ kdc/kerberos_v4.c
+@@ -86,11 +86,6 @@ extern int krbONE;
+ #define		MSB_FIRST		0	/* 68000, IBM RT/PC */
+ #define		LSB_FIRST		1	/* Vax, PC8086 */
+ 
+-int     f;
+-
+-/* XXX several files in libkdb know about this */
+-char *progname;
+-
+ #ifndef BACKWARD_COMPAT
+ static Key_schedule master_key_schedule;
+ static C_Block master_key;
+@@ -142,10 +137,8 @@ static void hang(void);
+ #include "com_err.h"
+ #include "extern.h"		/* to pick up master_princ */
+ 
+-static krb5_data *response;
+-
+-void kerberos_v4 (struct sockaddr_in *, KTEXT);
+-void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
++static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT);
++static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
+ static int set_tgtkey (char *, krb5_kvno, krb5_boolean);
+ 
+ /* Attributes converted from V5 to V4 - internal representation */
+@@ -261,12 +254,12 @@ process_v4(const krb5_data *pkt, const k
+ 	    (void) klog(L_KRB_PERR, "V4 request too long.");
+ 	    return KRB5KRB_ERR_FIELD_TOOLONG;
+     }
++    memset( &v4_pkt, 0, sizeof(v4_pkt));
+     v4_pkt.length = pkt->length;
+     v4_pkt.mbz = 0;
+     memcpy( v4_pkt.dat, pkt->data, pkt->length);
+ 
+-    kerberos_v4( &client_sockaddr, &v4_pkt);
+-    *resp = response;
++    *resp = kerberos_v4( &client_sockaddr, &v4_pkt);
+     return(retval);
+ }
+ 
+@@ -299,19 +292,20 @@ char * v4_klog( int type, const char *fo
+ }
+ 
+ static
+-int krb4_sendto(int s, const char *msg, int len, int flags,
+-		const struct sockaddr *to, int to_len)
++krb5_data *make_response(const char *msg, int len)
+ {
++    krb5_data *response;
++
+     if (  !(response = (krb5_data *) malloc( sizeof *response))) {
+-	return ENOMEM;
++	return 0;
+     }
+     if ( !(response->data = (char *) malloc( len))) {
+ 	krb5_free_data(kdc_context,  response);
+-	return ENOMEM;
++	return 0;
+     }
+     response->length = len;
+     memcpy( response->data, msg, len);
+-    return( 0);
++    return response;
+ }
+ static void
+ hang(void)
+@@ -590,7 +584,7 @@ static void str_length_check(char *str, 
+ 	*cp = 0;
+ }
+ 
+-void
++static krb5_data *
+ kerberos_v4(struct sockaddr_in *client, KTEXT pkt)
+ {
+     static KTEXT_ST rpkt_st;
+@@ -603,7 +597,7 @@ kerberos_v4(struct sockaddr_in *client, 
+     KTEXT   auth = &auth_st;
+     AUTH_DAT ad_st;
+     AUTH_DAT *ad = &ad_st;
+-
++    krb5_data *response = 0;
+ 
+     static struct in_addr client_host;
+     static int msg_byte_order;
+@@ -641,8 +635,7 @@ kerberos_v4(struct sockaddr_in *client, 
+ 		  inet_ntoa(client_host));
+ 	/* send an error reply */
+ 	req_name_ptr = req_inst_ptr = req_realm_ptr = "";
+-	kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
+-	return;
++	return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
+     }
+ 
+     /* check packet version */
+@@ -652,8 +645,7 @@ kerberos_v4(struct sockaddr_in *client, 
+ 		  KRB_PROT_VERSION, req_version, 0);
+ 	/* send an error reply */
+ 	req_name_ptr = req_inst_ptr = req_realm_ptr = "";
+-	kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
+-	return;
++	return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
+     }
+     msg_byte_order = req_msg_type & 1;
+ 
+@@ -711,10 +703,10 @@ kerberos_v4(struct sockaddr_in *client, 
+ 
+ 	    if ((i = check_princ(req_name_ptr, req_inst_ptr, 0,
+ 				 &a_name_data, &k5key, 0, &ck5life))) {
+-		kerb_err_reply(client, pkt, i, "check_princ failed");
++		response = kerb_err_reply(client, pkt, i, "check_princ failed");
+ 		a_name_data.key_low = a_name_data.key_high = 0;
+ 		krb5_free_keyblock_contents(kdc_context, &k5key);
+-		return;
++		return response;
+ 	    }
+ 	    /* don't use k5key for client */
+ 	    krb5_free_keyblock_contents(kdc_context, &k5key);
+@@ -726,11 +718,11 @@ kerberos_v4(struct sockaddr_in *client, 
+ 	    /* this does all the checking */
+ 	    if ((i = check_princ(service, instance, lifetime,
+ 				 &s_name_data, &k5key, 1, &sk5life))) {
+-		kerb_err_reply(client, pkt, i, "check_princ failed");
++		response = kerb_err_reply(client, pkt, i, "check_princ failed");
+ 		a_name_data.key_high = a_name_data.key_low = 0;
+ 		s_name_data.key_high = s_name_data.key_low = 0;
+ 		krb5_free_keyblock_contents(kdc_context, &k5key);
+-		return;
++		return response;
+ 	    }
+ 	    /* Bound requested lifetime with service and user */
+ 	    v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
+@@ -801,8 +793,7 @@ kerberos_v4(struct sockaddr_in *client, 
+ 	    rpkt = create_auth_reply(req_name_ptr, req_inst_ptr,
+ 		req_realm_ptr, req_time_ws, 0, a_name_data.exp_date,
+ 		a_name_data.key_version, ciph);
+-	    krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
+-		   (struct sockaddr *) client, S_AD_SZ);
++	    response  = make_response((char *) rpkt->dat, rpkt->length);
+ 	    memset(&a_name_data, 0, sizeof(a_name_data));
+ 	    memset(&s_name_data, 0, sizeof(s_name_data));
+ 	    break;
+@@ -828,9 +819,8 @@ kerberos_v4(struct sockaddr_in *client, 
+ 		lt = klog(L_KRB_PERR,
+ 			  "APPL request with realm length too long from %s",
+ 			  inet_ntoa(client_host));
+-		kerb_err_reply(client, pkt, RD_AP_INCON,
+-			       "realm length too long");
+-		return;
++		return kerb_err_reply(client, pkt, RD_AP_INCON,
++				      "realm length too long");
+ 	    }
+ 
+ 	    auth->length += (int) *(pkt->dat + auth->length) +
+@@ -839,9 +829,8 @@ kerberos_v4(struct sockaddr_in *client, 
+ 		lt = klog(L_KRB_PERR,
+ 			  "APPL request with funky tkt or req_id length from %s",
+ 			  inet_ntoa(client_host));
+-		kerb_err_reply(client, pkt, RD_AP_INCON,
+-			       "funky tkt or req_id length");
+-		return;
++		return kerb_err_reply(client, pkt, RD_AP_INCON,
++				      "funky tkt or req_id length");
+ 	    }
+ 
+ 	    memcpy(auth->dat, pkt->dat, auth->length);
+@@ -852,18 +841,16 @@ kerberos_v4(struct sockaddr_in *client, 
+ 	    if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {
+ 	      lt = klog(L_ERR_UNK,
+ 			"Cross realm ticket from %s denied by policy,", tktrlm);
+-	      kerb_err_reply(client, pkt,
+-			       KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+-		return;
++	      return kerb_err_reply(client, pkt,
++				    KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ 	    }
+ 	    if (set_tgtkey(tktrlm, kvno, 0)) {
+-	      lt = klog(L_ERR_UNK,
++		lt = klog(L_ERR_UNK,
+ 			  "FAILED set_tgtkey realm %s, kvno %d. Host: %s ",
+ 			  tktrlm, kvno, inet_ntoa(client_host));
+ 		/* no better error code */
+-		kerb_err_reply(client, pkt,
+-			       KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+-		return;
++		return kerb_err_reply(client, pkt,
++				      KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ 	    }
+ 	    kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
+ 		ad, 0);
+@@ -873,9 +860,8 @@ kerberos_v4(struct sockaddr_in *client, 
+ 			      "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",
+ 			      tktrlm, kvno, inet_ntoa(client_host));
+ 		    /* no better error code */
+-		    kerb_err_reply(client, pkt,
+-				   KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+-		    return;
++		    return kerb_err_reply(client, pkt,
++					  KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+ 		}
+ 		kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
+ 				   ad, 0);
+@@ -885,8 +871,7 @@ kerberos_v4(struct sockaddr_in *client, 
+ 		klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
+ 		     inet_ntoa(client_host), krb_get_err_text(kerno));
+ 		req_name_ptr = req_inst_ptr = req_realm_ptr = "";
+-		kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
+-		return;
++		return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
+ 	    }
+ 	    ptr = (char *) pkt->dat + auth->length;
+ 
+@@ -908,22 +893,20 @@ kerberos_v4(struct sockaddr_in *client, 
+ 	    req_realm_ptr = ad->prealm;
+ 
+ 	    if (strcmp(ad->prealm, tktrlm)) {
+-		kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
+-		     "Can't hop realms");
+-		return;
++		return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
++				      "Can't hop realms");
+ 	    }
+ 	    if (!strcmp(service, "changepw")) {
+-		kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
+-		     "Can't authorize password changed based on TGT");
+-		return;
++		return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
++				      "Can't authorize password changed based on TGT");
+ 	    }
+ 	    kerno = check_princ(service, instance, req_life,
+ 				&s_name_data, &k5key, 1, &sk5life);
+ 	    if (kerno) {
+-		kerb_err_reply(client, pkt, kerno, "check_princ failed");
++		response = kerb_err_reply(client, pkt, kerno, "check_princ failed");
+ 		s_name_data.key_high = s_name_data.key_low = 0;
+ 		krb5_free_keyblock_contents(kdc_context, &k5key);
+-		return;
++		return response;
+ 	    }
+ 	    /* Bound requested lifetime with service and user */
+ 	    v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);
+@@ -979,8 +962,7 @@ kerberos_v4(struct sockaddr_in *client, 
+ 	    rpkt = create_auth_reply(ad->pname, ad->pinst,
+ 				     ad->prealm, time_ws,
+ 				     0, 0, 0, ciph);
+-	    krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
+-		   (struct sockaddr *) client, S_AD_SZ);
++	    response = make_response((char *) rpkt->dat, rpkt->length);
+ 	    memset(&s_name_data, 0, sizeof(s_name_data));
+ 	    break;
+ 	}
+@@ -1005,6 +987,8 @@ kerberos_v4(struct sockaddr_in *client, 
+ 	    break;
+ 	}
+     }
++
++    return response;
+ }
+ 
+ 
+@@ -1014,7 +998,7 @@ kerberos_v4(struct sockaddr_in *client, 
+  * client. 
+  */
+ 
+-void
++static krb5_data *
+ kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string)
+ {
+     static KTEXT_ST e_pkt_st;
+@@ -1025,9 +1009,7 @@ kerb_err_reply(struct sockaddr_in *clien
+     strncat(e_msg, string, sizeof(e_msg) - 1 - 19);
+     cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
+ 		 req_time_ws, err, e_msg);
+-    krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0,
+-	   (struct sockaddr *) client, S_AD_SZ);
+-
++    return make_response((char *) e_pkt->dat, e_pkt->length);
+ }
+ 
+ static int
diff --git a/security/mit-krb5/patches/patch-bl b/security/mit-krb5/patches/patch-bl
new file mode 100644
index 00000000000..5bccf7882ff
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bl
@@ -0,0 +1,13 @@
+$NetBSD: patch-bl,v 1.1.2.2 2008/06/08 12:00:23 tron Exp $
+
+--- kdc/network.c.orig	2005-07-12 22:59:51.000000000 +0200
++++ kdc/network.c
+@@ -748,6 +748,8 @@ static void process_packet(struct connec
+ 	com_err(prog, retval, "while dispatching (udp)");
+ 	return;
+     }
++    if (response == NULL)
++	return;
+     cc = sendto(port_fd, response->data, (socklen_t) response->length, 0,
+ 		(struct sockaddr *)&saddr, saddr_len);
+     if (cc == -1) {
author	tron <tron@pkgsrc.org>	2008-06-08 12:00:23 +0000
committer	tron <tron@pkgsrc.org>	2008-06-08 12:00:23 +0000
commit	7f3e82e0b7352e4d2ac636237350d2d5f07f57da (patch)
tree	53098c6ef16b33675ee4aea32a384235759ae71b
parent	5ec13cc79c1d1755fdb60b7215123b6aa57ceffb (diff)
download	pkgsrc-7f3e82e0b7352e4d2ac636237350d2d5f07f57da.tar.gz