[1788] in Kerberos-V5-bugs
syslog buffer overflows
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Jan 24 14:06:49 1996
Date: Wed, 24 Jan 1996 14:06:44 -0500
From: Sam Hartman <hartmans@MIT.EDU>
To: krb5-bugs@MIT.EDU
This is probably hard enough to exploit that I don't really
mind posting it here, but please don't distribute too widely.
While implementing changes to krshd and krlogind, I noticed
that several places in the code syslog potentially unlimited strings.
For example, the krshd code syslogs the principal and realm of any
failed request, along with the hostname from which the request is
received.
This could potentially be a problem if syslog uses sprintf.
I propose that we may wish to optionally include a version of
snprintf in lib/krb5/posix if the native libc doesn't include one, and
then write a krb5_syslog wrapper to deal with making sure the string
doesn't overflow.
--Sam
