Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
Subject: krb5_get_cred_from_kdc_opt does not preserve NUL-terminated realm
 data
X-RT-Original-Encoding: iso-8859-1
Content-Length: 531

There are a bunch of places in the krb5 code (eg: the KDC location plugin lookup 
call) where we assume that a krb5_data containing realm strings have an extra NUL 
byte at the end which is not counted as part of the length.  This allows the data field to be 
treated as a C strings.

In krb5_get_cred_from_kdc_opt in the referrals case, krb5int_copy_data_contents 
is used to copy the new realm into the service principal.  
krb5int_copy_data_contents does not preserve the NUL-terminating byte and so 
a buffer overrun may occur.