svn rev #19137: trunk/src/lib/krb5/keytab/
epeisach@MIT.EDU
epeisach at MIT.EDU
Thu Feb 1 14:17:32 EST 2007
Commit By: epeisach
Log Message:
Ticket: new
Subject: buffer overflow in krb5_kt_get_name
krb5_kt_get_name() allows the called to specify the size of the buffer to copy
the name into. The size must be big enough for the tailing nul character.
If one specified a buffer length that is precisely the strlen w/o allowing for
the nul - the functions would copy one past the end of the buffer.
No code in our tree would be subject this problem - as buffers in use are 1024
or BUFSIZ....
The logic failure was:
strlen(p+1) vs. strlen(p)+1
The code is essentially duplicated in the three changed files.
Changed Files:
U trunk/src/lib/krb5/keytab/kt_file.c
U trunk/src/lib/krb5/keytab/kt_memory.c
U trunk/src/lib/krb5/keytab/kt_srvtab.c
More information about the cvs-krb5
mailing list