diff options
| author | Tom Yu <tlyu@mit.edu> | 1998-03-17 00:52:00 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 1998-03-17 00:52:00 +0000 |
| commit | d5c8d03bcbfc730b05b6e3570404a48add5b05fc (patch) | |
| tree | fc4417d662942ef623d2bc438edfa0c248dfb80b /src | |
| parent | 04bf633d66714476fecf8e9bd45dc7007594c290 (diff) | |
| download | krb5-d5c8d03bcbfc730b05b6e3570404a48add5b05fc.tar.gz krb5-d5c8d03bcbfc730b05b6e3570404a48add5b05fc.tar.xz krb5-d5c8d03bcbfc730b05b6e3570404a48add5b05fc.zip | |
* chk_trans.c (krb5_check_transited_list): Check lengths when
appending to next and prev.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10501 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/krb5/krb/ChangeLog | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/chk_trans.c | 24 |
2 files changed, 25 insertions, 4 deletions
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index cb58a762f..c94d3c393 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,8 @@ +Mon Mar 16 19:50:55 1998 Tom Yu <tlyu@mit.edu> + + * chk_trans.c (krb5_check_transited_list): Check lengths when + appending to next and prev. + Fri Feb 27 18:03:33 1998 Theodore Ts'o <tytso@rsts-11.mit.edu> * Makefile.in: Changed thisconfigdir to point at the lib/krb5 diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c index 0961d6af7..979eb831a 100644 --- a/src/lib/krb5/krb/chk_trans.c +++ b/src/lib/krb5/krb/chk_trans.c @@ -41,8 +41,15 @@ krb5_data *realm2; krb5_principal *tgs_list; if (!trans || !trans->data) return(0); - trans_length = trans->data[trans->length-1] ? - trans->length : trans->length - 1; + if (trans_length) + trans_length = trans->data[trans->length-1] ? + trans->length : trans->length - 1; + + for (i = 0; i < trans_length; i++) + if (trans->data[i] == '\0') { + /* Realms may not contain ASCII NUL character. */ + return(KRB5KRB_AP_ERR_ILL_CR_TKT); + } if ((retval = krb5_walk_realm_tree(context, realm1, realm2, &tgs_list, KRB5_REALM_BRANCH_CHAR))) { @@ -51,19 +58,28 @@ krb5_data *realm2; memset(prev, 0, MAX_REALM_LN + 1); memset(next, 0, MAX_REALM_LN + 1), nextp = next; - for (i = 0; i <= trans_length; i++) { + for (i = 0; i < trans_length; i++) { if (i < trans_length-1 && trans->data[i] == '\\') { i++; *nextp++ = trans->data[i]; + if (nextp - next > MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto finish; + } continue; } if (i < trans_length && trans->data[i] != ',') { *nextp++ = trans->data[i]; + if (nextp - next > MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto finish; + } continue; } if (strlen(next) > 0) { if (next[0] != '/') { - if (*(nextp-1) == '.') strcat(next, prev); + if (*(nextp-1) == '.' && strlen(next) + strlen(prev) <= MAX_REALM_LN) + strcat(next, prev); retval = KRB5KRB_AP_ERR_ILL_CR_TKT; for (j = 0; tgs_list[j]; j++) { if (strlen(next) == (size_t) krb5_princ_realm(context, tgs_list[j])->length && |