Skip Menu |
 

Subject: krb5_get_cred_from_kdc_opt does not preserve NUL-terminated realm data
There are a bunch of places in the krb5 code (eg: the KDC location plugin lookup
call) where we assume that a krb5_data containing realm strings have an extra NUL
byte at the end which is not counted as part of the length. This allows the data field to be
treated as a C strings.

In krb5_get_cred_from_kdc_opt in the referrals case, krb5int_copy_data_contents
is used to copy the new realm into the service principal.
krb5int_copy_data_contents does not preserve the NUL-terminating byte and so
a buffer overrun may occur.
From: tlyu@mit.edu
Subject: SVN Commit

Make a NUL-terminated copy of realm name before passing to a plugin
interface that takes a C string rather than krb5_data.


Commit By: tlyu



Revision: 20243
Changed Files:
_U trunk/
U trunk/src/lib/krb5/os/locate_kdc.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r20243 from trunk

r20243@cathode-dark-space: tlyu | 2008-02-29 00:23:56 -0500
ticket: 5893
tags: pullup
target_version: 1.6.4

Make a NUL-terminated copy of realm name before passing to a plugin
interface that takes a C string rather than krb5_data.




Commit By: tlyu



Revision: 20257
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/os/locate_kdc.c