diff options
| author | Tom Yu <tlyu@mit.edu> | 1998-03-20 22:14:15 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 1998-03-20 22:14:15 +0000 |
| commit | 32ec08da243443fd9cc6919aa183bbc678d0586d (patch) | |
| tree | 246582ae0dc7869ab8415bd69f155f1f4b7cf7e9 /src/kdc | |
| parent | d5c8d03bcbfc730b05b6e3570404a48add5b05fc (diff) | |
| download | krb5-32ec08da243443fd9cc6919aa183bbc678d0586d.tar.gz krb5-32ec08da243443fd9cc6919aa183bbc678d0586d.tar.xz krb5-32ec08da243443fd9cc6919aa183bbc678d0586d.zip | |
* kdc_util.c (add_to_transited): Check lengths, fix up comma
quoting somewhat (though things are still way broken).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10502 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/ChangeLog | 5 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 126 |
2 files changed, 103 insertions, 28 deletions
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index eaab61b0e..ce3fc0f27 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,8 @@ +Fri Mar 20 17:13:46 1998 Tom Yu <tlyu@mit.edu> + + * kdc_util.c (add_to_transited): Check lengths, fix up comma + quoting somewhat (though things are still way broken). + Fri Feb 20 15:58:21 1998 Theodore Y. Ts'o <tytso@mit.edu> * kdc_preauth.c (get_preauth_hint_list): Don't add the pseudo diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index ac969841a..863ffd19c 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -537,6 +537,7 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) krb5_principal client; krb5_principal server; { + krb5_error_code retval; char *realm; char *trans; char *otrans, *otrans_ptr; @@ -548,6 +549,7 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) char current[MAX_REALM_LN]; char exp[MAX_REALM_LN]; /* Expanded current realm name */ + int i; int clst, nlst; /* count of last character in current and next */ int pl, pl1; /* prefix length */ int added; /* TRUE = new realm has been added */ @@ -572,9 +574,8 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) +1 for extra comma which may be added between +1 for potential space when leading slash in realm */ if (!(trans = (char *) malloc(strlen(realm) + strlen(otrans) + 3))) { - free(realm); - free(otrans_ptr); - return(ENOMEM); + retval = ENOMEM; + goto fail; } if (new_trans->data) free(new_trans->data); @@ -588,18 +589,25 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) prev[0] = '\0'; - /***** In next statement, need to keep reading if the , was quoted *****/ /* read field into current */ - - if (sscanf(otrans, "%[^,]", current) == 1) { - otrans += strlen(current); - } - else { - current[0] = '\0'; + for (i = 0; *otrans != '\0';) { + if (*otrans == '\\') + if (*(++otrans) == '\0') + break; + else + continue; + if (*otrans == ',') { + otrans++; + break; + } + current[i++] = *otrans++; + if (i >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } } + current[i] = '\0'; - if (otrans[0] == ',') otrans++; - added = (krb5_princ_realm(kdc_context, client)->length == strlen(realm) && !strncmp(krb5_princ_realm(kdc_context, client)->data, realm, strlen(realm))) || (krb5_princ_realm(kdc_context, server)->length == strlen(realm) && @@ -615,29 +623,43 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) } else if ((current[0] == '/') && (prev[0] == '/')) { strcpy(exp, prev); + if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } strcat(exp, current); } else if (current[clst] == '.') { strcpy(exp, current); + if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } strcat(exp, prev); } else { strcpy(exp, current); } - /***** next statement, need to keep reading if the , was quoted *****/ /* read field into next */ - - if (sscanf(otrans, "%[^,]", next) == 1) { - otrans += strlen(next); - nlst = strlen(next) - 1; - } - else { - next[0] = '\0'; - nlst = 0; + for (i = 0; *otrans != '\0';) { + if (*otrans == '\\') + if (*(++otrans) == '\0') + break; + else + continue; + if (*otrans == ',') { + otrans++; + break; + } + next[i++] = *otrans++; + if (i >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } } - - if (otrans[0] == ',') otrans++; + next[i] = '\0'; + nlst = i - 1; if (!strcmp(exp, realm)) added = TRUE; @@ -658,6 +680,10 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) if ((next[nlst] != '.') && (next[0] != '/') && (pl = subrealm(exp, realm))) { added = TRUE; + if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } strcat(current, ","); if (pl > 0) { strncat(current, realm, pl); @@ -681,6 +707,10 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) added = TRUE; current[0] = '\0'; if ((pl1 = subrealm(prev,realm))) { + if (strlen(current) + (pl1>0?pl1:-pl1) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } if (pl1 > 0) { strncat(current, realm, pl1); } @@ -690,10 +720,22 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) } else { /* If not a subrealm */ if ((realm[0] == '/') && prev[0]) { - strcat(current, " "); + if (strlen(current) + 2 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strcat(current, " "); } + if (strlen(current) + strlen(realm) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } strcat(current, realm); } + if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } strcat(current,","); if (pl > 0) { strncat(current, exp, pl); @@ -704,7 +746,17 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) } } - if (new_trans->length != 0) strcat(trans, ","); + if (new_trans->length != 0) { + if (strlen(trans) + 2 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strcat(trans, ","); + } + if (strlen(trans) + strlen(current) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } strcat(trans, current); new_trans->length = strlen(trans) + 1; @@ -713,15 +765,33 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server) } if (!added) { - if (new_trans->length != 0) strcat(trans, ","); - if((realm[0] == '/') && trans[0]) strcat(trans, " "); + if (new_trans->length != 0) { + if (strlen(trans) + 2 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strcat(trans, ","); + } + if((realm[0] == '/') && trans[0]) { + if (strlen(trans) + 2 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } + strcat(trans, " "); + } + if (strlen(trans) + strlen(realm) + 1 >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } strcat(trans, realm); new_trans->length = strlen(trans) + 1; } + retval = 0; +fail: free(realm); free(otrans_ptr); - return(0); + return (retval); } /* |