[2808] in Kerberos-V5-bugs
krb5-appl/488: buffer overflow in 1.0.2 klogind
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Mon Nov 3 00:56:08 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, mhpower@MIT.EDU
Date: Mon, 3 Nov 97 00:55:26 -0500
From: mhpower@MIT.EDU
Reply-To: mhpower@MIT.EDU
To: krb5-bugs@MIT.EDU
>Number: 488
>Category: krb5-appl
>Synopsis: buffer overflow in 1.0.2 klogind
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Nov 03 00:56:01 EST 1997
>Last-Modified:
>Originator: Matt Power
>Organization:
MIT
>Release: 1.0.2
>Environment:
<machine, os, target, libraries (multiple lines)>
System: any
Architecture: any
>Description:
There's a strcpy of an h_name field into a 128-character
buffer.
>How-To-Repeat:
Arrange for the DNS server response to include data
corresponding to an h_name field of over 127 characters.
>Fix:
*** krb5-1.0.2/src/appl/bsd/krlogind.c.old Fri Oct 31 15:42:50 1997
--- krb5-1.0.2/src/appl/bsd/krlogind.c Mon Nov 3 00:28:44 1997
***************
*** 549,551 ****
/* Save hostent information.... */
! else strcpy(rhost_name,hp->h_name);
--- 549,554 ----
/* Save hostent information.... */
! else {
! strncpy(rhost_name,hp->h_name,sizeof(rhost_name));
! rhost_name[sizeof(rhost_name) - 1] = '\0';
! }
>Audit-Trail:
>Unformatted:
