*** kerberos.c.orig Fri Mar 1 01:34:09 1991 --- kerberos.c Fri Jun 2 15:37:32 2000 *************** *** 318,323 **** --- 318,337 ---- } + static void str_length_check(str, max_size) + char *str; + int max_size; + { + int i; + char *cp; + + for (i=0, cp = str; i < max_size-1; i++, cp++) { + if (*cp == 0) + return; + } + *cp = 0; + } + kerberos(client, pkt) struct sockaddr_in *client; KTEXT pkt; *************** *** 357,362 **** --- 371,379 ---- req_act_vno = req_version; + /* set these to point to something safe */ + req_name_ptr = req_inst_ptr = req_realm_ptr = ""; + /* check packet version */ if (req_version != KRB_PROT_VERSION) { lt = klog(L_KRB_PERR, *************** *** 392,399 **** --- 409,419 ---- /* set up and correct for byte order and alignment */ req_name_ptr = (char *) pkt_a_name(pkt); + str_length_check(req_name_ptr, ANAME_SZ); req_inst_ptr = (char *) pkt_a_inst(pkt); + str_length_check(req_inst_ptr, INST_SZ); req_realm_ptr = (char *) pkt_a_realm(pkt); + str_length_check(req_realm_ptr, REALM_SZ); bcopy(pkt_time_ws(pkt), &req_time_ws, sizeof(req_time_ws)); /* time has to be diddled */ if (swap_bytes) { *************** *** 413,419 **** if (i = check_princ(req_name_ptr, req_inst_ptr, 0, &a_name_data)) { ! kerb_err_reply(client, pkt, i, lt); return; } tk->length = 0; /* init */ --- 433,440 ---- if (i = check_princ(req_name_ptr, req_inst_ptr, 0, &a_name_data)) { ! kerb_err_reply(client, pkt, i, "check_princ failed"); ! a_name_data.key_low = a_name_data.key_high = 0; return; } tk->length = 0; /* init */ *************** *** 424,430 **** /* this does all the checking */ if (i = check_princ(service, instance, lifetime, &s_name_data)) { ! kerb_err_reply(client, pkt, i, lt); return; } /* Bound requested lifetime with service and user */ --- 445,453 ---- /* this does all the checking */ if (i = check_princ(service, instance, lifetime, &s_name_data)) { ! kerb_err_reply(client, pkt, i, "check_princ_failed"); ! a_name_data.key_high = a_name_data.key_low = 0; ! s_name_data.key_high = s_name_data.key_low = 0; return; } /* Bound requested lifetime with service and user */ *************** *** 497,508 **** --- 520,549 ---- k_flags = 0; /* various kerberos flags */ auth->length = 4 + strlen(pkt->dat + 3); + if (auth->length + 1 > MAX_KTXT_LEN) { + lt = klog(L_KRB_PERR, + "APPL request with realm length too long from %s", + inet_ntoa(client_host)); + kerb_err_reply(client, pkt, RD_AP_INCON, + "realm length too long"); + return; + } + auth->length += (int) *(pkt->dat + auth->length) + (int) *(pkt->dat + auth->length + 1) + 2; + if (auth->length > MAX_KTXT_LEN) { + lt = klog(L_KRB_PERR, + "APPL request with funky tkt or req_id length from %s", + inet_ntoa(client_host)); + kerb_err_reply(client, pkt, RD_AP_INCON, + "funky tkt or req_id length"); + return; + } bcopy(pkt->dat, auth->dat, auth->length); strncpy(tktrlm, auth->dat + 3, REALM_SZ); + tktrlm[REALM_SZ-1] = '\0'; if (set_tgtkey(tktrlm)) { lt = klog(L_ERR_UNK, "FAILED realm %s unknown. Host: %s ", *************** *** 550,556 **** kerno = check_princ(service, instance, req_life, &s_name_data); if (kerno) { ! kerb_err_reply(client, pkt, kerno, lt); return; } /* Bound requested lifetime with service and user */ --- 591,597 ---- kerno = check_princ(service, instance, req_life, &s_name_data); if (kerno) { ! kerb_err_reply(client, pkt, kerno, "check_princ failed"); return; } /* Bound requested lifetime with service and user */ *************** *** 669,675 **** static char e_msg[128]; strcpy(e_msg, "\nKerberos error -- "); ! strcat(e_msg, string); cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, err, e_msg); sendto(f, e_pkt->dat, e_pkt->length, 0, client, S_AD_SZ); --- 710,716 ---- static char e_msg[128]; strcpy(e_msg, "\nKerberos error -- "); ! strncat(e_msg, string, sizeof(e_msg) - 1 - 19); cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, err, e_msg); sendto(f, e_pkt->dat, e_pkt->length, 0, client, S_AD_SZ); *************** *** 793,799 **** kdb_encrypt_key(key, key, master_key, master_key_schedule, DECRYPT); krb_set_key(key, 0); ! strcpy(lastrealm, r); return (KSUCCESS); } --- 834,841 ---- kdb_encrypt_key(key, key, master_key, master_key_schedule, DECRYPT); krb_set_key(key, 0); ! strncpy(lastrealm, r, sizeof(lastrealm) - 1); ! lastrealm[sizeof(lastrealm) - 1] = '\0'; return (KSUCCESS); }