2 files changed, 40 insertions, 8 deletions

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index bd26229ea6..6420856b54 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,10 @@
+Wed Feb  4 14:15:20 1998  Theodore Y. Ts'o  <tytso@mit.edu>
+
+	* kerberos_v4.c (process_v4): Check the length of the incoming V4
+		packet before copying it into the KTEXT_ST variable.
+		(kerberos_v4): Make sure the strings in the V4 request
+		structures aren't no longer than they are allowed to be.
+
 Wed Jan 28 08:56:07 1998  Ezra Peisach  <epeisach@mit.edu>
 
 	* krb5kdc.M: Document V4 mode handling [krb5-kdc/464].
diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c
index 110eb5724c..90ee6718a3 100644
--- a/src/kdc/kerberos_v4.c
+++ b/src/kdc/kerberos_v4.c
@@ -94,7 +94,7 @@ static Principal a_name_data;	/* for requesting user */
 static Principal s_name_data;	/* for services requested */
 static C_Block session_key;
 
-static char log_text[128];
+static char log_text[512];
 static char *lt;
 static int more;
 
@@ -217,6 +217,12 @@ krb5_data **resp;
     KTEXT_ST v4_pkt;
     char *lrealm;
 
+    /* Check if disabled completely */
+    if (kdc_v4 == KDC_V4_NONE) {
+	(void) klog(L_KRB_PERR, "Disabled KRB V4 request");
+	return KRB5KDC_ERR_BAD_PVNO;
+    }
+
     if ((retval = krb5_timeofday(kdc_context, (krb5_timestamp *) &kerb_time.tv_sec)))
         return(retval);
 
@@ -239,16 +245,13 @@ krb5_data **resp;
     /* convert v5 packet structure to v4's.
      * this copy is gross, but necessary:
      */
+    if (pkt->length > MAX_KTXT_LEN) {
+	    (void) klog(L_KRB_PERR, "V4 request too long.");
+	    return KRB5KRB_ERR_FIELD_TOOLONG;
+    }
     v4_pkt.length = pkt->length;
     memcpy( v4_pkt.dat, pkt->data, pkt->length);
 
-    /* Check if disabled completely */
-    if (kdc_v4 == KDC_V4_NONE) {
-	(void) klog(L_KRB_PERR,
-	"Disabled KRB V4 request");
-	return KRB5KDC_ERR_BAD_PVNO;
-    }
-
     kerberos_v4( &client_sockaddr, &v4_pkt);
     *resp = response;
     return(retval);
@@ -504,6 +507,21 @@ kerb_get_principal(name, inst, principal, maxn, more)
     *more = (int) more5 || (nprinc > maxn);
     return( nprinc);
 }
+
+static void str_length_check(str, max_size)
+	char 	*str;
+	int	max_size;
+{
+	int	i;
+	char	*cp;
+
+	for (i=0, cp = str; i < max_size-1; i++, cp++) {
+		if (*cp == 0)
+			return;
+	}
+	*cp = 0;
+}
+
 void
 kerberos_v4(client, pkt)
     struct sockaddr_in *client;
@@ -595,8 +613,11 @@ kerberos_v4(client, pkt)
 
 	    /* set up and correct for byte order and alignment */
 	    req_name_ptr = (char *) pkt_a_name(pkt);
+	    str_length_check(req_name_ptr, ANAME_SZ);
 	    req_inst_ptr = (char *) pkt_a_inst(pkt);
+	    str_length_check(req_inst_ptr, INST_SZ);
 	    req_realm_ptr = (char *) pkt_a_realm(pkt);
+	    str_length_check(req_realm_ptr, REALM_SZ);
 	    memcpy(&req_time_ws, pkt_time_ws(pkt), sizeof(req_time_ws));
 	    /* time has to be diddled */
 	    if (swap_bytes) {
@@ -607,7 +628,9 @@ kerberos_v4(client, pkt)
 	    req_life = (u_long) (*ptr++);
 
 	    service = ptr;
+	    str_length_check(service, SNAME_SZ);
 	    instance = ptr + strlen(service) + 1;
+	    str_length_check(instance, INST_SZ);
 
 	    rpkt = &rpkt_st;
 
@@ -739,7 +762,9 @@ kerberos_v4(client, pkt)
 	    req_life = (u_long) (*ptr++);
 
 	    service = ptr;
+	    str_length_check(service, SNAME_SZ);
 	    instance = ptr + strlen(service) + 1;
+	    str_length_check(instance, INST_SZ);
 
 	    klog(L_APPL_REQ, "APPL Request %s.%s@%s on %s for %s.%s",
 	     ad->pname, ad->pinst, ad->prealm,