buffer overflow in krb5_kt_get_name

krb5_kt_get_name() allows the called to specify the size of the buffer to copy
the name into. The size must be big enough for the tailing nul character.

If one specified a buffer length that is precisely the strlen w/o allowing for
the nul - the functions would copy one past the end of the buffer.

No code in our tree would be subject this problem - as buffers in use are 1024 
or BUFSIZ....

The logic failure was:

strlen(p+1) vs. strlen(p)+1

The code is essentially duplicated in the three changed files. 

Ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19137 dc483132-0cff-0310-8789-dd5450dbe970

0 files changed, 0 insertions, 0 deletions