Index: kerberos_v4.c =================================================================== RCS file: /cvs/krbdev/krb5/src/kdc/kerberos_v4.c,v retrieving revision 5.56.4.3 diff -c -r5.56.4.3 kerberos_v4.c *** kerberos_v4.c 1998/05/10 03:02:55 5.56.4.3 --- kerberos_v4.c 2000/05/19 19:38:17 *************** *** 173,183 **** return(retval); if (!*local_realm) { /* local-realm name already set up */ - /* XXX assumes realm is null-terminated! */ lrealm = master_princ->realm.data; ! if (strlen(lrealm) < sizeof(local_realm)) ! strcpy(local_realm, lrealm); ! else retval = KRB5_CONFIG_NOTENUFSPACE; } /* convert client_fulladdr to client_sockaddr: --- 173,183 ---- return(retval); if (!*local_realm) { /* local-realm name already set up */ lrealm = master_princ->realm.data; ! if (master_princ->realm.length < sizeof(local_realm)) { ! memcpy(local_realm, lrealm, master_princ->realm.length); ! local_realm[master_princ->realm.length] = '\0'; ! } else retval = KRB5_CONFIG_NOTENUFSPACE; } /* convert client_fulladdr to client_sockaddr: *************** *** 196,201 **** --- 196,202 ---- return KRB5KRB_ERR_FIELD_TOOLONG; } v4_pkt.length = pkt->length; + v4_pkt.mbz = 0; memcpy( v4_pkt.dat, pkt->data, pkt->length); kerberos_v4( &client_sockaddr, &v4_pkt); *************** *** 507,512 **** --- 508,516 ---- req_act_vno = req_version; + /* set these to point to something safe */ + req_name_ptr = req_inst_ptr = req_realm_ptr = ""; + /* check packet version */ if (req_version != KRB_PROT_VERSION) { lt = klog(L_KRB_PERR, *************** *** 574,580 **** if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, &a_name_data))) { ! kerb_err_reply(client, pkt, i, lt); a_name_data.key_low = a_name_data.key_high = 0; return; } --- 578,584 ---- if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, &a_name_data))) { ! kerb_err_reply(client, pkt, i, "check_princ failed"); a_name_data.key_low = a_name_data.key_high = 0; return; } *************** *** 586,592 **** /* this does all the checking */ if ((i = check_princ(service, instance, lifetime, &s_name_data))) { ! kerb_err_reply(client, pkt, i, lt); a_name_data.key_high = a_name_data.key_low = 0; s_name_data.key_high = s_name_data.key_low = 0; return; --- 590,596 ---- /* this does all the checking */ if ((i = check_princ(service, instance, lifetime, &s_name_data))) { ! kerb_err_reply(client, pkt, i, "check_princ_failed"); a_name_data.key_high = a_name_data.key_low = 0; s_name_data.key_high = s_name_data.key_low = 0; return; *************** *** 664,681 **** tk->length = 0; k_flags = 0; /* various kerberos flags */ auth->length = 4 + strlen((char *)pkt->dat + 3); auth->length += (int) *(pkt->dat + auth->length) + (int) *(pkt->dat + auth->length + 1) + 2; memcpy(auth->dat, pkt->dat, auth->length); strncpy(tktrlm, (char *)auth->dat + 3, REALM_SZ); if (set_tgtkey(tktrlm)) { lt = klog(L_ERR_UNK, "FAILED realm %s unknown. Host: %s ", tktrlm, inet_ntoa(client_host)); ! kerb_err_reply(client, pkt, kerno, lt); return; } kerno = krb_rd_req(auth, "ktbtgt", tktrlm, client_host.s_addr, --- 668,706 ---- tk->length = 0; k_flags = 0; /* various kerberos flags */ + auth->mbz = 0; /* pkt->mbz already zeroed */ auth->length = 4 + strlen((char *)pkt->dat + 3); + if (auth->length + 1 > MAX_KTXT_LEN) { + lt = klog(L_KRB_PERR, + "APPL request with realm length too long from %s", + inet_ntoa(client_host)); + kerb_err_reply(client, pkt, RD_AP_INCON, + "realm length too long"); + return; + } + auth->length += (int) *(pkt->dat + auth->length) + (int) *(pkt->dat + auth->length + 1) + 2; + if (auth->length > MAX_KTXT_LEN) { + lt = klog(L_KRB_PERR, + "APPL request with funky tkt or req_id length from %s", + inet_ntoa(client_host)); + kerb_err_reply(client, pkt, RD_AP_INCON, + "funky tkt or req_id length"); + return; + } memcpy(auth->dat, pkt->dat, auth->length); strncpy(tktrlm, (char *)auth->dat + 3, REALM_SZ); + tktrlm[REALM_SZ-1] = '\0'; if (set_tgtkey(tktrlm)) { lt = klog(L_ERR_UNK, "FAILED realm %s unknown. Host: %s ", tktrlm, inet_ntoa(client_host)); ! /* no better error code */ ! kerb_err_reply(client, pkt, ! KERB_ERR_PRINCIPAL_UNKNOWN, lt); return; } kerno = krb_rd_req(auth, "ktbtgt", tktrlm, client_host.s_addr, *************** *** 720,726 **** kerno = check_princ(service, instance, req_life, &s_name_data); if (kerno) { ! kerb_err_reply(client, pkt, kerno, lt); return; } /* Bound requested lifetime with service and user */ --- 745,751 ---- kerno = check_princ(service, instance, req_life, &s_name_data); if (kerno) { ! kerb_err_reply(client, pkt, kerno, "check_princ failed"); return; } /* Bound requested lifetime with service and user */ *************** *** 844,850 **** static char e_msg[128]; strcpy(e_msg, "\nKerberos error -- "); ! strcat(e_msg, string); cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, err, e_msg); krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, --- 869,875 ---- static char e_msg[128]; strcpy(e_msg, "\nKerberos error -- "); ! strncat(e_msg, string, sizeof(e_msg) - 1 - 19); cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, err, e_msg); krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, *************** *** 989,995 **** kdb_encrypt_key(key, key, master_key, master_key_schedule, DECRYPT); krb_set_key((char *) key, 0); ! strcpy(lastrealm, r); return (KSUCCESS); } --- 1014,1021 ---- kdb_encrypt_key(key, key, master_key, master_key_schedule, DECRYPT); krb_set_key((char *) key, 0); ! strncpy(lastrealm, r, sizeof(lastrealm) - 1); ! lastrealm[sizeof(lastrealm) - 1] = '\0'; return (KSUCCESS); }