diff options
| author | Tom Yu <tlyu@mit.edu> | 2007-06-26 18:08:35 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2007-06-26 18:08:35 +0000 |
| commit | 1b52a1fd30640202d3b4eee7c537c1bbb5d84e9e (patch) | |
| tree | 9ad584352734fdd992139141635112b60b734265 /src/kadmin | |
| parent | 581bc90958d2fbda2bb3547e9b854f5c004a430a (diff) | |
| download | krb5-1b52a1fd30640202d3b4eee7c537c1bbb5d84e9e.tar.gz krb5-1b52a1fd30640202d3b4eee7c537c1bbb5d84e9e.tar.xz krb5-1b52a1fd30640202d3b4eee7c537c1bbb5d84e9e.zip | |
fix MITKRB5-SA-2007-005 [CVE-2007-2798/VU#554257]
Truncate the principal names when logging a rename operation to avoid
a stack buffer overflow.
ticket: new
target_version: 1.6.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19637 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin')
| -rw-r--r-- | src/kadmin/server/server_stubs.c | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index cf823984f..f09154045 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -545,13 +545,14 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) static generic_ret ret; char *prime_arg1, *prime_arg2; - char prime_arg[BUFSIZ]; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; char *errmsg; + size_t tlen1, tlen2, clen, slen; + char *tdots1, *tdots2, *cdots, *sdots; xdr_free(xdr_generic_ret, &ret); @@ -572,7 +573,14 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } - sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); + tlen1 = strlen(prime_arg1); + trunc_name(&tlen1, &tdots1); + tlen2 = strlen(prime_arg2); + trunc_name(&tlen2, &tdots2); + clen = client_name.length; + trunc_name(&clen, &cdots); + slen = service_name.length; + trunc_name(&slen, &sdots); ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { @@ -590,8 +598,15 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { - log_unauth("kadm5_rename_principal", prime_arg, - &client_name, &service_name, rqstp); + krb5_klog_syslog(LOG_NOTICE, + "Unauthorized request: kadm5_rename_principal, " + "%.*s%s to %.*s%s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + tlen1, prime_arg1, tdots1, + tlen2, prime_arg2, tdots2, + clen, client_name.value, cdots, + slen, service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); @@ -600,8 +615,15 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - log_done("kadm5_rename_principal", prime_arg, errmsg, - &client_name, &service_name, rqstp); + krb5_klog_syslog(LOG_NOTICE, + "Request: kadm5_rename_principal, " + "%.*s%s to %.*s%s, %s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + tlen1, prime_arg1, tdots1, + tlen2, prime_arg2, tdots2, errmsg, + clen, client_name.value, cdots, + slen, service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); free(prime_arg1); |