[krbdev.mit.edu #1651] Buffer overflow in krb_get_admhst() when using v4 realms section
Alexandra Ellwood via RT
rt-comment at krbdev.mit.edu
Mon Jul 7 14:15:24 EDT 2003
There is a buffer overflow in krb_get_admhst() when using [v4 realms] in
the krb5 config file for the krb4 configuration.
The problem is that krb_get_admhost() assumes that the host buffer
passed in by the caller is MAXHOSTNAMELEN bytes. Unfortunately, some
callers (eg: v4 aklogs) pass in a buffer of MAX_K_NAME_SZ bytes. When
krb_get_admhst() passes the buffer to krb_prof_get_nth() *and* there is
a [v4 realms] config, the following code gets executed:
if (strlen(value) >= retlen)
result = KFAILURE;
else
strncpy(ret, value, retlen);
where retlen is MAXHOSTNAMELEN and ret is a MAX_K_NAME_SZ byte buffer.
As a result, the strncpy() writes (MAXHOSTNAMELEN - MAX_K_NAME_SZ) zeros
off the end of ret.
Given that krb_prof_get_nth() is a static function only used by krb4
configuration lookup functions, and it already checks the length, the
strncpy() should be changed to a strcpy() to support existing (albeit
buggy) clients. The presence of the strncpy() just makes the buffer
overflow more likely to happen.
More information about the krb5-bugs
mailing list