[krbdev.mit.edu #6866] Kerberos For Windows crash in wshelp dlls
Jeffrey Altman via RT
rt at krbdev.mit.edu
Fri Feb 11 01:22:43 EST 2011
Thank you for the submission of the updated res_query.c. A diff or
patch would have been easier to read.
The submitted change ensures that the 'answer' buffer allocated on the
stack within do_res_search() is not written beyond its length but it
does so by breaking the semantics of res_search(). If the required
buffer length is larger than the provided answer buffer len, res_search
is supposed to return as much of the answer as possible and return the
required length. This permits the caller of res_search to allocate a
larger buffer and retry. The krb5 counts on this behavior.
The real problem is in build_rr() which is unaware of the remaining
space in the buffer pointed to by 'cp'. When the buffer fills, instead
of counting the required bytes, it blindly continues to copy data in.
More information about the kfwdev
mailing list