[krbdev.mit.edu #5893] krb5_get_cred_from_kdc_opt does not preserve NUL-terminated realm data
Alexandra Ellwood via RT
rt-comment at krbdev.mit.edu
Mon Feb 25 16:34:54 EST 2008
There are a bunch of places in the krb5 code (eg: the KDC location plugin lookup
call) where we assume that a krb5_data containing realm strings have an extra NUL
byte at the end which is not counted as part of the length. This allows the data field to be
treated as a C strings.
In krb5_get_cred_from_kdc_opt in the referrals case, krb5int_copy_data_contents
is used to copy the new realm into the service principal.
krb5int_copy_data_contents does not preserve the NUL-terminating byte and so
a buffer overrun may occur.
More information about the krb5-bugs
mailing list