| From: | epeisach@mit.edu |
| Subject: | SVN Commit |
krb5_kt_get_name() allows the called to specify the size of the buffer to copy
the name into. The size must be big enough for the tailing nul character.
If one specified a buffer length that is precisely the strlen w/o allowing for
the nul - the functions would copy one past the end of the buffer.
No code in our tree would be subject this problem - as buffers in use are 1024
or BUFSIZ....
The logic failure was:
strlen(p+1) vs. strlen(p)+1
The code is essentially duplicated in the three changed files.
Commit By: epeisach
Revision: 19137
Changed Files:
U trunk/src/lib/krb5/keytab/kt_file.c
U trunk/src/lib/krb5/keytab/kt_memory.c
U trunk/src/lib/krb5/keytab/kt_srvtab.c
the name into. The size must be big enough for the tailing nul character.
If one specified a buffer length that is precisely the strlen w/o allowing for
the nul - the functions would copy one past the end of the buffer.
No code in our tree would be subject this problem - as buffers in use are 1024
or BUFSIZ....
The logic failure was:
strlen(p+1) vs. strlen(p)+1
The code is essentially duplicated in the three changed files.
Commit By: epeisach
Revision: 19137
Changed Files:
U trunk/src/lib/krb5/keytab/kt_file.c
U trunk/src/lib/krb5/keytab/kt_memory.c
U trunk/src/lib/krb5/keytab/kt_srvtab.c