svn rev #21788: trunk/src/lib/krb5/krb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Fri Jan 23 13:41:42 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=21788
Commit By: ghudson
Log Message:
In krb5_pac_parse, change the code around a bit to avoid harmlessly
copying an uninitialized Buffers field of a PACTYPE structure.
Changed Files:
U trunk/src/lib/krb5/krb/pac.c
Modified: trunk/src/lib/krb5/krb/pac.c
===================================================================
--- trunk/src/lib/krb5/krb/pac.c 2009-01-23 18:19:19 UTC (rev 21787)
+++ trunk/src/lib/krb5/krb/pac.c 2009-01-23 18:41:39 UTC (rev 21788)
@@ -307,25 +307,25 @@
{
krb5_error_code ret;
size_t i;
- PACTYPE header;
const unsigned char *p = (const unsigned char *)ptr;
krb5_pac pac;
size_t header_len;
+ krb5_ui_4 cbuffers, version;
*ppac = NULL;
if (len < PACTYPE_LENGTH)
return ERANGE;
- header.cBuffers = load_32_le(p);
+ cbuffers = load_32_le(p);
p += 4;
- header.Version = load_32_le(p);
+ version = load_32_le(p);
p += 4;
- if (header.Version != 0)
+ if (version != 0)
return EINVAL;
- header_len = PACTYPE_LENGTH + (header.cBuffers * PAC_INFO_BUFFER_LENGTH);
+ header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
if (len < header_len)
return ERANGE;
@@ -334,13 +334,14 @@
return ret;
pac->pac = (PACTYPE *)realloc(pac->pac,
- sizeof(PACTYPE) + ((header.cBuffers - 1) * sizeof(PAC_INFO_BUFFER)));
+ sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER)));
if (pac->pac == NULL) {
krb5_pac_free(context, pac);
return ENOMEM;
}
- memcpy(pac->pac, &header, sizeof(header));
+ pac->pac->cBuffers = cbuffers;
+ pac->pac->Version = version;
for (i = 0; i < pac->pac->cBuffers; i++) {
PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i];
More information about the cvs-krb5
mailing list