[2280] in Kerberos-V5-bugs
pending/50: buffer overflow with KRB4_ENCPWD code and long hostnames
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Wed Oct 2 02:05:53 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, mhpower@MIT.EDU
Date: Wed, 02 Oct 1996 02:04:01 EDT
From: mhpower@MIT.EDU
To: krb5-bugs@MIT.EDU
>Number: 50
>Category: pending
>Synopsis: buffer overflow with KRB4_ENCPWD code and long hostnames
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Oct e 02:05:01 EDT 1996
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
If telnet is built with KRB4_ENCPWD defined (this assumes, for
example, that code for the krb_*_encpwd_req functions exists
somewhere), the remote hostname available to krb4encpwd_reply can be
up to MAXDNAME-1 (255) characters, but it is strcpy'd to a buffer of
size ANAME_SZ (40). This patch should allow the correct instance to be
found if the first '.' in this hostname is before the 40th character.
It doesn't consider the issue of warning the user if the first '.' in
the hostname occurs at the 40th character or later.
I am not using the KRB4_ENCPWD code myself and would personally not
care if it were simply deleted from the distribution.
Matt
*** krb5-beta7/src/appl/telnet/libtelnet/krb4encpwd.c.old Tue Jun 27 16:32:28 1995
--- krb5-beta7/src/appl/telnet/libtelnet/krb4encpwd.c Wed Oct 2 01:01:01 1996
***************
*** 315,317 ****
Challenge = challenge;
! strcpy(instance, RemoteHostName);
if ((cp = index(instance, '.')) != 0) *cp = '\0';
--- 315,318 ----
Challenge = challenge;
! strncpy(instance, RemoteHostName, sizeof(instance));
! instance[sizeof(instance)-1] = '\0';
if ((cp = index(instance, '.')) != 0) *cp = '\0';
