[5736] in Athena Bugs
7.1: krb_get_in_tkt
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Wed Aug 15 16:02:49 1990
Date: Wed, 15 Aug 90 16:02:35 -0400
From: Ken Raeburn <Raeburn@MIT.Edu>
To: bugs@ATHENA.MIT.EDU
(void) strcpy((char *)(pkt->dat+pkt->length),
instance); /* instance */
instance[INST_SZ-1] = '\0';
pkt->length += 1 + strlen(instance);
This code should not assume that the argument "instance" points to a
writable string of at least INST_SZ bytes.
Furthermore, if the "instance" argument is long enough that the
inserted null makes a difference, the packet is probably badly
formatted, because the next datum is written in at an offset that does
not correspond to the length of the instance string just inserted, and
therefore the instance is not null-terminated and two fields get
merged into one.
