diff options
author | Greg Hudson <ghudson@mit.edu> | 2017-08-24 16:00:33 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2017-09-08 11:56:10 -0400 |
commit | 54e58755368b58ba5894a14c1d02626da42d8003 (patch) | |
tree | 002675b781fdf58c07408cde966fa9bb5d673a97 /src/clients | |
parent | 4cfb64e362443be36a4cb92fb8f5d1d93280fb3f (diff) | |
download | krb5-54e58755368b58ba5894a14c1d02626da42d8003.zip krb5-54e58755368b58ba5894a14c1d02626da42d8003.tar.gz krb5-54e58755368b58ba5894a14c1d02626da42d8003.tar.bz2 |
Limit ticket lifetime to 2^31-1 seconds
Although timestamps above 2^31-1 are now valid, intervals exceeding
2^31-1 seconds may be treated incorrectly by comparison operations.
The initially computed interval in kdc_get_ticket_endtime() could be
negative if the requested end time is far in the future, causing the
function to yield an incorrect result. (With the new larger value of
kdc_infinity, this could specifically happen if a KDC-REQ contains a
zero till field.) Cap the interval at the maximum valid value.
Reported by Weijun Wang.
Avoid delta comparisons in favor of timestamp comparions in
krb5int_validate_times(), ksu's krb5_check_exp(), and clockskew
checks.
Also use a y2038-safe timestamp comparison in set_request_times() when
comparing the requested renewable end time to the requested ticket end
time.
ticket: 8352
Diffstat (limited to 'src/clients')
-rw-r--r-- | src/clients/ksu/ccache.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c index 236313b..2a99521 100644 --- a/src/clients/ksu/ccache.c +++ b/src/clients/ksu/ccache.c @@ -282,7 +282,7 @@ krb5_error_code krb5_check_exp(context, tkt_time) } - if (ts_delta(currenttime, tkt_time.endtime) > context->clockskew) { + if (ts_after(currenttime, ts_incr(tkt_time.endtime, context->clockskew))) { retval = KRB5KRB_AP_ERR_TKT_EXPIRED ; return retval; } |