3 files changed, 24 insertions, 27 deletions

diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c
index fbcc49db0d..c6b1f6ebe6 100644
--- a/src/lib/krb5/krb/parse.c
+++ b/src/lib/krb5/krb/parse.c
@@ -270,7 +270,7 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip
 	}
 	*q++ = '\0';
 	if (!parsed_realm)
-		strcpy(krb5_princ_realm(context, principal)->data, default_realm);
+		strlcpy(krb5_princ_realm(context, principal)->data, default_realm, realmsize + 1);
 	/*
 	 * Alright, we're done.  Now stuff a pointer to this monstrosity
 	 * into the return variable, and let's get out of here.
diff --git a/src/lib/krb5/os/dnssrv.c b/src/lib/krb5/os/dnssrv.c
index d726fb7e54..e10d01d04b 100644
--- a/src/lib/krb5/os/dnssrv.c
+++ b/src/lib/krb5/os/dnssrv.c
@@ -60,10 +60,11 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
 			     struct srv_dns_entry **answers)
 {
     const unsigned char *p = NULL, *base = NULL;
-    char host[MAXDNAME], *h;
-    int size, ret, rdlen, nlen;
+    char host[MAXDNAME];
+    int size, ret, rdlen, nlen, len;
     unsigned short priority, weight, port;
     struct krb5int_dns_state *ds = NULL;
+    struct k5buf buf;
 
     struct srv_dns_entry *head = NULL;
     struct srv_dns_entry *srv = NULL, *entry = NULL;
@@ -81,13 +82,9 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
 
     if (memchr(realm->data, 0, realm->length))
 	return 0;
-    if ( strlen(service) + strlen(protocol) + realm->length + 6 
-         > MAXDNAME )
-	return 0;
-    if (snprintf(host, sizeof(host), "%s.%s.%.*s",
-		 service, protocol, (int) realm->length,
-		 realm->data) >= sizeof(host))
-	return 0;
+    krb5int_buf_init_fixed(&buf, host, sizeof(host));
+    krb5int_buf_add_fmt(&buf, "%s.%s.", service, protocol);
+    krb5int_buf_add_len(&buf, realm->data, realm->length);
 
     /* Realm names don't (normally) end with ".", but if the query
        doesn't end with "." and doesn't get an answer as is, the
@@ -98,9 +95,12 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
        a search on the prefix alone then the intention is to allow
        the local domain or domain search lists to be expanded.  */
 
-    h = host + strlen (host);
-    if ((h[-1] != '.') && ((h - host + 1) < sizeof(host)))
-        strcpy (h, ".");
+    len = krb5int_buf_len(&buf);
+    if (len > 0 && host[len - 1] != '.')
+	krb5int_buf_add(&buf, ".");
+
+    if (krb5int_buf_cstr(&buf) == NULL)
+	return 0;
 
 #ifdef TEST
     fprintf (stderr, "sending DNS SRV query for %s\n", host);
@@ -144,10 +144,7 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
 	srv->port = port;
 	/* The returned names are fully qualified.  Don't let the
 	   local resolver code do domain search path stuff.  */
-	if (strlen(host) + 2 < sizeof(host))
-	    strcat(host, ".");
-	srv->host = strdup(host);
-	if (srv->host == NULL) {
+	if (asprintf(&srv->host, "%s.", host) < 0) {
 	    free(srv);
 	    goto out;
 	}
diff --git a/src/lib/krb5/os/hst_realm.c b/src/lib/krb5/os/hst_realm.c
index 27641f73ad..038348eaef 100644
--- a/src/lib/krb5/os/hst_realm.c
+++ b/src/lib/krb5/os/hst_realm.c
@@ -90,22 +90,20 @@ krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm)
 {
     krb5_error_code retval = KRB5_ERR_HOST_REALM_UNKNOWN;
     const unsigned char *p, *base;
-    char host[MAXDNAME], *h;
+    char host[MAXDNAME];
     int ret, rdlen, len;
     struct krb5int_dns_state *ds = NULL;
+    struct k5buf buf;
 
     /*
      * Form our query, and send it via DNS
      */
 
+    krb5int_buf_init_fixed(&buf, host, sizeof(host));
     if (name == NULL || name[0] == '\0') {
-        if (strlcpy(host, prefix, sizeof(host)) >= sizeof(host))
-	    return KRB5_ERR_HOST_REALM_UNKNOWN;
+	krb5int_buf_add(&buf, prefix);
     } else {
-        if ( strlen(prefix) + strlen(name) + 3 > MAXDNAME )
-            return KRB5_ERR_HOST_REALM_UNKNOWN;
-        if (snprintf(host, sizeof(host), "%s.%s", prefix, name) >= sizeof(host))
-	    return KRB5_ERR_HOST_REALM_UNKNOWN;
+	krb5int_buf_add_fmt(&buf, "%s.%s", prefix, name);
 
         /* Realm names don't (normally) end with ".", but if the query
            doesn't end with "." and doesn't get an answer as is, the
@@ -117,10 +115,12 @@ krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm)
            the local domain or domain search lists to be expanded.
         */
 
-        h = host + strlen (host);
-        if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host)))
-            strcpy (h, ".");
+	len = krb5int_buf_len(&buf);
+	if (len > 0 && host[len - 1] != '.')
+	    krb5int_buf_add(&buf, ".");
     }
+    if (krb5int_buf_cstr(&buf) == NULL)
+	return KRB5_ERR_HOST_REALM_UNKNOWN;
     ret = krb5int_dns_init(&ds, host, C_IN, T_TXT);
     if (ret < 0)
 	goto errout;