Skip Menu |
 

Subject: Buffer overflow in krb_get_admhst() when using v4 realms section
There is a buffer overflow in krb_get_admhst() when using [v4 realms] in
the krb5 config file for the krb4 configuration.

The problem is that krb_get_admhost() assumes that the host buffer
passed in by the caller is MAXHOSTNAMELEN bytes. Unfortunately, some
callers (eg: v4 aklogs) pass in a buffer of MAX_K_NAME_SZ bytes. When
krb_get_admhst() passes the buffer to krb_prof_get_nth() *and* there is
a [v4 realms] config, the following code gets executed:

if (strlen(value) >= retlen)
result = KFAILURE;
else
strncpy(ret, value, retlen);

where retlen is MAXHOSTNAMELEN and ret is a MAX_K_NAME_SZ byte buffer.
As a result, the strncpy() writes (MAXHOSTNAMELEN - MAX_K_NAME_SZ) zeros
off the end of ret.

Given that krb_prof_get_nth() is a static function only used by krb4
configuration lookup functions, and it already checks the length, the
strncpy() should be changed to a strcpy() to support existing (albeit
buggy) clients. The presence of the strncpy() just makes the buffer
overflow more likely to happen.
From: lxs@mit.edu
Subject: CVS Commit
krb_prof_get_nth() no longer assumes that its retlen argument is correct (call strcpy instead of strncpy) because this argument is a guess for some callers (eg: krb_get_admhst())


To generate a diff of this commit:



cvs diff -r1.188 -r1.189 krb5/src/lib/krb4/ChangeLog
From: lxs@mit.edu
Subject: CVS Commit
krb_prof_get_nth() no longer assumes that its retlen argument is correct (call strcpy instead of strncpy) because this argument is a guess for some callers (eg: krb_get_admhst())


To generate a diff of this commit:



cvs diff -r1.9 -r1.10 krb5/src/lib/krb4/RealmsConfig-glue.c
From: lxs@mit.edu
Subject: CVS Commit
This time, use the correct # of arguments for strcpy.


To generate a diff of this commit:



cvs diff -r1.10 -r1.11 krb5/src/lib/krb4/RealmsConfig-glue.c
From: lxs@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r1.174.2.12 -r1.174.2.13 krb5/src/lib/krb4/ChangeLog
From: lxs@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r1.6.2.2 -r1.6.2.3 krb5/src/lib/krb4/RealmsConfig-glue.c