krb5_principal client;
krb5_principal server;
{
+ krb5_error_code retval;
char *realm;
char *trans;
char *otrans, *otrans_ptr;
char current[MAX_REALM_LN];
char exp[MAX_REALM_LN]; /* Expanded current realm name */
+ int i;
int clst, nlst; /* count of last character in current and next */
int pl, pl1; /* prefix length */
int added; /* TRUE = new realm has been added */
+1 for extra comma which may be added between
+1 for potential space when leading slash in realm */
if (!(trans = (char *) malloc(strlen(realm) + strlen(otrans) + 3))) {
- free(realm);
- free(otrans_ptr);
- return(ENOMEM);
+ retval = ENOMEM;
+ goto fail;
}
if (new_trans->data) free(new_trans->data);
prev[0] = '\0';
- /***** In next statement, need to keep reading if the , was quoted *****/
/* read field into current */
-
- if (sscanf(otrans, "%[^,]", current) == 1) {
- otrans += strlen(current);
- }
- else {
- current[0] = '\0';
+ for (i = 0; *otrans != '\0';) {
+ if (*otrans == '\\')
+ if (*(++otrans) == '\0')
+ break;
+ else
+ continue;
+ if (*otrans == ',') {
+ otrans++;
+ break;
+ }
+ current[i++] = *otrans++;
+ if (i >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
}
+ current[i] = '\0';
- if (otrans[0] == ',') otrans++;
-
added = (krb5_princ_realm(kdc_context, client)->length == strlen(realm) &&
!strncmp(krb5_princ_realm(kdc_context, client)->data, realm, strlen(realm))) ||
(krb5_princ_realm(kdc_context, server)->length == strlen(realm) &&
}
else if ((current[0] == '/') && (prev[0] == '/')) {
strcpy(exp, prev);
+ if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
strcat(exp, current);
}
else if (current[clst] == '.') {
strcpy(exp, current);
+ if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
strcat(exp, prev);
}
else {
strcpy(exp, current);
}
- /***** next statement, need to keep reading if the , was quoted *****/
/* read field into next */
-
- if (sscanf(otrans, "%[^,]", next) == 1) {
- otrans += strlen(next);
- nlst = strlen(next) - 1;
- }
- else {
- next[0] = '\0';
- nlst = 0;
+ for (i = 0; *otrans != '\0';) {
+ if (*otrans == '\\')
+ if (*(++otrans) == '\0')
+ break;
+ else
+ continue;
+ if (*otrans == ',') {
+ otrans++;
+ break;
+ }
+ next[i++] = *otrans++;
+ if (i >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
}
-
- if (otrans[0] == ',') otrans++;
+ next[i] = '\0';
+ nlst = i - 1;
if (!strcmp(exp, realm)) added = TRUE;
if ((next[nlst] != '.') && (next[0] != '/') &&
(pl = subrealm(exp, realm))) {
added = TRUE;
+ if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
strcat(current, ",");
if (pl > 0) {
strncat(current, realm, pl);
added = TRUE;
current[0] = '\0';
if ((pl1 = subrealm(prev,realm))) {
+ if (strlen(current) + (pl1>0?pl1:-pl1) + 1 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
if (pl1 > 0) {
strncat(current, realm, pl1);
}
}
else { /* If not a subrealm */
if ((realm[0] == '/') && prev[0]) {
- strcat(current, " ");
+ if (strlen(current) + 2 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
+ strcat(current, " ");
}
+ if (strlen(current) + strlen(realm) + 1 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
strcat(current, realm);
}
+ if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
strcat(current,",");
if (pl > 0) {
strncat(current, exp, pl);
}
}
- if (new_trans->length != 0) strcat(trans, ",");
+ if (new_trans->length != 0) {
+ if (strlen(trans) + 2 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
+ strcat(trans, ",");
+ }
+ if (strlen(trans) + strlen(current) + 1 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
strcat(trans, current);
new_trans->length = strlen(trans) + 1;
}
if (!added) {
- if (new_trans->length != 0) strcat(trans, ",");
- if((realm[0] == '/') && trans[0]) strcat(trans, " ");
+ if (new_trans->length != 0) {
+ if (strlen(trans) + 2 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
+ strcat(trans, ",");
+ }
+ if((realm[0] == '/') && trans[0]) {
+ if (strlen(trans) + 2 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
+ strcat(trans, " ");
+ }
+ if (strlen(trans) + strlen(realm) + 1 >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
strcat(trans, realm);
new_trans->length = strlen(trans) + 1;
}
+ retval = 0;
+fail:
free(realm);
free(otrans_ptr);
- return(0);
+ return (retval);
}
/*
projects / krb5.git / commitdiff