fix possible buffer overrun in handling generic-error return

Jeff Altman reported this, based on a crash seen in KfW in the wild.

The krb5_data handle used to describe the message field returned by the KDC is
not null-terminated, but we use a "%s" format to incorporate it into an error
message string.  In the right circumstances, garbage bytes can be pulled into
the string, or a memory fault may result.

However, as this is in the error-reporting part of the client-side code for
fetching new credentials, it's a relatively minor DoS attack only, not a
serious security exposure.  Should be fixed in the next releases, though.

ticket: new
target_version: 1.6.5
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20304 dc483132-0cff-0310-8789-dd5450dbe970

0 files changed, 0 insertions, 0 deletions