*** kerberos.c.orig	Sat Feb 24 05:43:44 1996
--- kerberos.c	Fri Jun  2 15:25:22 2000
***************
*** 358,363 ****
--- 358,377 ----
  }
  
  
+ static void str_length_check(str, max_size)
+ 	char 	*str;
+ 	int	max_size;
+ {
+ 	int	i;
+ 	char	*cp;
+ 
+ 	for (i=0, cp = str; i < max_size-1; i++, cp++) {
+ 		if (*cp == 0)
+ 			return;
+ 	}
+ 	*cp = 0;
+ }
+ 
  kerberos(client, pkt)
      struct sockaddr_in *client;
      KTEXT   pkt;
***************
*** 397,402 ****
--- 411,419 ----
  
      req_act_vno = req_version;
  
+     /* set these to point to something safe */
+     req_name_ptr = req_inst_ptr = req_realm_ptr = "";
+ 
      /* check packet version */
      if (req_version != KRB_PROT_VERSION) {
  	lt = klog(L_KRB_PERR,
***************
*** 435,442 ****
--- 452,462 ----
  
  	    /* set up and correct for byte order and alignment */
  	    req_name_ptr = (char *) pkt_a_name(pkt);
+ 	    str_length_check(req_name_ptr, ANAME_SZ);
  	    req_inst_ptr = (char *) pkt_a_inst(pkt);
+ 	    str_length_check(req_inst_ptr, INST_SZ);
  	    req_realm_ptr = (char *) pkt_a_realm(pkt);
+ 	    str_length_check(req_realm_ptr, REALM_SZ);
  	    memcpy(&req_time_ws, pkt_time_ws(pkt), sizeof(req_time_ws));
  	    /* time has to be diddled */
  	    if (swap_bytes) {
***************
*** 460,466 ****
  
  	    if (i = check_princ(req_name_ptr, req_inst_ptr, 0,
  		&a_name_data)) {
! 		kerb_err_reply(client, pkt, i, lt);
  		return;
  	    }
  	    tk->length = 0;	/* init */
--- 480,487 ----
  
  	    if (i = check_princ(req_name_ptr, req_inst_ptr, 0,
  		&a_name_data)) {
! 		kerb_err_reply(client, pkt, i, "check_princ failed");
! 		a_name_data.key_low = a_name_data.key_high = 0;
  		return;
  	    }
  	    tk->length = 0;	/* init */
***************
*** 471,477 ****
  	    /* this does all the checking */
  	    if (i = check_princ(service, instance, req_life,
  		&s_name_data)) {
! 		kerb_err_reply(client, pkt, i, lt);
  		return;
  	    }
  
--- 492,500 ----
  	    /* this does all the checking */
  	    if (i = check_princ(service, instance, req_life,
  		&s_name_data)) {
! 		kerb_err_reply(client, pkt, i, "check_princ_failed");
! 		a_name_data.key_high = a_name_data.key_low = 0;
! 		s_name_data.key_high = s_name_data.key_low = 0;
  		return;
  	    }
  
***************
*** 627,638 ****
--- 650,679 ----
  	    k_flags = 0;	/* various kerberos flags */
  
  	    auth->length = 4 + strlen((char *) pkt->dat + 3);
+ 	    if (auth->length + 1 > MAX_KTXT_LEN) {
+ 		lt = klog(L_KRB_PERR,
+ 			  "APPL request with realm length too long from %s",
+ 			  inet_ntoa(client_host));
+ 		kerb_err_reply(client, pkt, RD_AP_INCON,
+ 			       "realm length too long");
+ 		return;
+ 	    }
+ 
  	    auth->length += (int) *(pkt->dat + auth->length) +
  		(int) *(pkt->dat + auth->length + 1) + 2;
+ 	    if (auth->length > MAX_KTXT_LEN) {
+ 		lt = klog(L_KRB_PERR,
+ 			  "APPL request with funky tkt or req_id length from %s",
+ 			  inet_ntoa(client_host));
+ 		kerb_err_reply(client, pkt, RD_AP_INCON,
+ 			       "funky tkt or req_id length");
+ 		return;
+ 	    }
  
  	    memcpy(auth->dat, pkt->dat, auth->length);
  
  	    strncpy(tktrlm, (char *) auth->dat + 3, REALM_SZ);
+ 	    tktrlm[REALM_SZ-1] = '\0';
  	    if (set_tgtkey(tktrlm)) {
  		lt = klog(L_ERR_UNK,
  		    "FAILED realm %s unknown. Host: %s ",
***************
*** 680,686 ****
  	    kerno = check_princ(service, instance, req_life,
  		&s_name_data);
  	    if (kerno) {
! 		kerb_err_reply(client, pkt, kerno, lt);
  		return;
  	    }
  	    /* Bound requested lifetime with service and user */
--- 721,727 ----
  	    kerno = check_princ(service, instance, req_life,
  		&s_name_data);
  	    if (kerno) {
! 		kerb_err_reply(client, pkt, kerno, "check_princ failed");
  		return;
  	    }
  	    /* Bound requested lifetime with service and user */
***************
*** 804,810 ****
      static char e_msg[128];
  
      strcpy(e_msg, "\nKerberos error -- ");
!     strcat(e_msg, string);
      cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
  		 req_time_ws, err, e_msg);
      sendto(f, e_pkt->dat, e_pkt->length, 0, (struct sockaddr *) client,
--- 845,851 ----
      static char e_msg[128];
  
      strcpy(e_msg, "\nKerberos error -- ");
!     strncat(e_msg, string, sizeof(e_msg) - 1 - 19);
      cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
  		 req_time_ws, err, e_msg);
      sendto(f, e_pkt->dat, e_pkt->length, 0, (struct sockaddr *) client,
***************
*** 928,934 ****
      kdb_encrypt_key(key, key, master_key,
  		    master_key_schedule, DECRYPT);
      krb_set_key(key, 0);
!     strcpy(lastrealm, r);
      return (KSUCCESS);
  }
  
--- 969,976 ----
      kdb_encrypt_key(key, key, master_key,
  		    master_key_schedule, DECRYPT);
      krb_set_key(key, 0);
!     strncpy(lastrealm, r, sizeof(lastrealm) - 1);
!     lastrealm[sizeof(lastrealm) - 1] = '\0';
      return (KSUCCESS);
  }