diff options
| author | Tom Yu <tlyu@mit.edu> | 2007-04-03 19:23:52 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2007-04-03 19:23:52 +0000 |
| commit | f7f39b9dda8998390da542fb9bbc2be563c8a557 (patch) | |
| tree | ddc2bfdf6bb73d2b961a88f61f57d66449c41c55 /src/kdc | |
| parent | fd6cef3500bd22b289be8c9c3561a11b87843f86 (diff) | |
| download | krb5-f7f39b9dda8998390da542fb9bbc2be563c8a557.tar.gz krb5-f7f39b9dda8998390da542fb9bbc2be563c8a557.tar.xz krb5-f7f39b9dda8998390da542fb9bbc2be563c8a557.zip | |
MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog
Fix MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog.
* src/lib/krb5/krb/get_in_tkt.c (krb5_klog_syslog): Use vsnprintf
if available.
Everything else: use precision fields on "%s" specifiers to truncate
logged strings, in case someone doesn't have vsnprintf.
ticket: new
target_version: 1.6.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19395 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/do_tgs_req.c | 26 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 1 |
2 files changed, 21 insertions, 6 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index c7221247c..8e960cb04 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -491,28 +491,38 @@ tgt_again: newtransited = 1; } if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { + unsigned int tlen; + char *tdots; + errcode = krb5_check_transited_list (kdc_context, &enc_tkt_reply.transited.tr_contents, krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), krb5_princ_realm (kdc_context, request->server)); + tlen = enc_tkt_reply.transited.tr_contents.length; + tdots = tlen > 125 ? "..." : ""; + tlen = tlen > 125 ? 125 : tlen; + if (errcode == 0) { setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) krb5_klog_syslog (LOG_INFO, - "bad realm transit path from '%s' to '%s' via '%.*s'", + "bad realm transit path from '%s' to '%s' " + "via '%.*s%s'", cname ? cname : "<unknown client>", sname ? sname : "<unknown server>", - enc_tkt_reply.transited.tr_contents.length, - enc_tkt_reply.transited.tr_contents.data); + tlen, + enc_tkt_reply.transited.tr_contents.data, + tdots); else { const char *emsg = krb5_get_error_message(kdc_context, errcode); krb5_klog_syslog (LOG_ERR, - "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", + "unexpected error checking transit from " + "'%s' to '%s' via '%.*s%s': %s", cname ? cname : "<unknown client>", sname ? sname : "<unknown server>", - enc_tkt_reply.transited.tr_contents.length, + tlen, enc_tkt_reply.transited.tr_contents.data, - emsg); + tdots, emsg); krb5_free_error_message(kdc_context, emsg); } } else @@ -542,6 +552,9 @@ tgt_again: if (!krb5_principal_compare(kdc_context, request->server, client2)) { if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) tmp = 0; + if (tmp != NULL) + limit_string(tmp); + krb5_klog_syslog(LOG_INFO, "TGS_REQ %s: 2ND_TKT_MISMATCH: " "authtime %d, %s for %s, 2nd tkt client %s", @@ -816,6 +829,7 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing alternate <un-unparseable> TGT"); } else { + limit_string(sname); krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing TGT %s", sname); free(sname); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 7325d4572..aeabc5c65 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -404,6 +404,7 @@ kdc_get_server_key(krb5_ticket *ticket, krb5_keyblock **key, krb5_kvno *kvno) krb5_db_free_principal(kdc_context, &server, nprincs); if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { + limit_string(sname); krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", sname); free(sname); |