| Subject: | krb5_get_cred_from_kdc_opt does not preserve NUL-terminated realm data |
There are a bunch of places in the krb5 code (eg: the KDC location plugin lookup
call) where we assume that a krb5_data containing realm strings have an extra NUL
byte at the end which is not counted as part of the length. This allows the data field to be
treated as a C strings.
In krb5_get_cred_from_kdc_opt in the referrals case, krb5int_copy_data_contents
is used to copy the new realm into the service principal.
krb5int_copy_data_contents does not preserve the NUL-terminating byte and so
a buffer overrun may occur.
call) where we assume that a krb5_data containing realm strings have an extra NUL
byte at the end which is not counted as part of the length. This allows the data field to be
treated as a C strings.
In krb5_get_cred_from_kdc_opt in the referrals case, krb5int_copy_data_contents
is used to copy the new realm into the service principal.
krb5int_copy_data_contents does not preserve the NUL-terminating byte and so
a buffer overrun may occur.