[845] in Kerberos-V5-bugs
NUL-termination problem
daemon@ATHENA.MIT.EDU (John G. Myers)
Tue Oct 11 20:50:50 1994
Date: Tue, 11 Oct 1994 20:51:53 -0400 (EDT)
From: "John G. Myers" <jgm+@cmu.edu>
To: krb5-bugs@MIT.EDU
The code in do_as_req.c:
sprintf(cpw_service, "%s@%s", "changepw/kerberos",
krb5_princ_realm(request->server)->data);
assumes that krb5_princ...->data is NUL-terminated. However, the asn1
decoding routines are not NUL-terminating it. Therefore, an arbitrary
amount of uninitilized garbage can be put in cpw_service.
