[489] in Kerberos-V5-bugs
Problem with krb5_parse_name()? (and a possible fix if so)
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Wed Jun 1 17:05:51 1994
Date: Wed, 1 Jun 94 17:09:20 EDT
To: krb5-bugs@MIT.EDU
Cc: mamros@ftp.com
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
There seems to be a problem with the krb5_parse_name() function in the
Kerberos V5 Beta 3 release - either that, or I'm misunderstanding how
this function is intended to behave.
If the name argument to krb5_parse_name() looks something like
"part1/part2@oops@REALM", where there is more than one unquoted '@'
character in the name, krb5_parse_name() does not detect this situation.
The end result could potentially be a segmentation fault within
krb5_parse_name() itself (during pass 3, when "part2" will be longer
than the allocated space for the second component whose length is
erroneously set to that of "oops"). Other problems are no doubt possible
with the resulting krb5_principal if it does make it out of this function.
Am I correct in assuming that any string containing more than one
(non-quoted) '@' character should be treated as a malformed string
by krb5_parse_name()? If so, the following small patch should fix
the problem:
*** parse.c Sat Oct 30 18:50:46 1993
--- parse_m.c Wed Jun 1 12:17:56 1994
***************
*** 116,124 ****
size = 0;
i++;
} else if (c == REALM_SEP) {
! if (!*(cp+1))
/*
! * Null Realm names are not allowed!
*/
return(KRB5_PARSE_MALFORMED);
parsed_realm = cp+1;
--- 116,125 ----
size = 0;
i++;
} else if (c == REALM_SEP) {
! if (parsed_realm || !*(cp+1))
/*
! * Multiple realm separators and Null Realm
! * names are not allowed!
*/
return(KRB5_PARSE_MALFORMED);
parsed_realm = cp+1;
If, on the other hand, multiple non-quoted '@'s should be allowed (with the
second or additional '@'s taken as part of the realm name), I'd appreciate
knowing if that is so. Please inform me if that is the case or not.
Thanks,
-Shawn Mamros
E-mail to: mamros@ftp.com
