[877] in Kerberos-V5-bugs
Re: NUL-termination problem
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Oct 19 12:11:43 1994
Date: Wed, 19 Oct 1994 12:11:34 +0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: "John G. Myers" <jgm+@cmu.edu>
Cc: krb5-bugs@MIT.EDU
In-Reply-To: [845]
Date: Tue, 11 Oct 1994 20:51:53 -0400 (EDT)
From: "John G. Myers" <jgm+@cmu.edu>
The code in do_as_req.c:
assumes that krb5_princ...->data is NUL-terminated. However, the asn1
decoding routines are not NUL-terminating it. Therefore, an arbitrary
amount of uninitilized garbage can be put in cpw_service.
Thanks for the bug report. I've fixed the problem, by replacing the
buggy code with the following:
static krb5_principal cpw = 0;
....
pwreq = 0;
if (!cpw) {
retval = krb5_parse_name("changepw/kerberos", &cpw);
if (retval)
goto errout;
free(krb5_princ_realm(cpw)->data);
krb5_princ_realm(cpw)->data = 0;
}
krb5_princ_realm(cpw)->data = krb5_princ_realm(request->server)->data;
if (krb5_principal_compare(request->server, cpw))
pwreq++;
Thanks for the bug report! This fix will be in the next patchrelease.
- Ted
