MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog

Fix MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog.

	* src/lib/krb5/krb/get_in_tkt.c (krb5_klog_syslog): Use vsnprintf
	if available.

Everything else: use precision fields on "%s" specifiers to truncate
logged strings, in case someone doesn't have vsnprintf.

ticket: new
target_version: 1.6.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19395 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 7 insertions, 3 deletions

diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index 212034bb9..e6fe44da6 100644
--- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -41,7 +41,7 @@
 #endif	/* HAVE_SYSLOG_H */
 #include <stdarg.h>
 
-#define	KRB5_KLOG_MAX_ERRMSG_SIZE	1024
+#define	KRB5_KLOG_MAX_ERRMSG_SIZE	2048
 #ifndef	MAXHOSTNAMELEN
 #define	MAXHOSTNAMELEN	256
 #endif	/* MAXHOSTNAMELEN */
@@ -257,7 +257,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
 #endif	/* HAVE_SYSLOG */
 
     /* Now format the actual message */
-#if	HAVE_VSPRINTF
+#if	HAVE_VSNPRINTF
+    vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
+#elif	HAVE_VSPRINTF
     vsprintf(cp, actual_format, ap);
 #else	/* HAVE_VSPRINTF */
     sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
@@ -846,7 +848,9 @@ klog_vsyslog(int priority, const char *format, va_list arglist)
     syslogp = &outbuf[strlen(outbuf)];
 
     /* Now format the actual message */
-#ifdef	HAVE_VSPRINTF
+#ifdef	HAVE_VSNPRINTF
+    vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
+#elif	HAVE_VSPRINTF
     vsprintf(syslogp, format, arglist);
 #else	/* HAVE_VSPRINTF */
     sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],