fix possible buffer overrun in handling generic-error return

Jeff Altman reported this, based on a crash seen in KfW in the wild.

The krb5_data handle used to describe the message field returned by the KDC is
not null-terminated, but we use a "%s" format to incorporate it into an error
message string.  In the right circumstances, garbage bytes can be pulled into
the string, or a memory fault may result.

However, as this is in the error-reporting part of the client-side code for
fetching new credentials, it's a relatively minor DoS attack only, not a
serious security exposure.  Should be fixed in the next releases, though.

ticket: new
target_version: 1.6.5
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20304 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index 518d0244b7543afd926151e80a1ba1294f23830f..7ecd2813da67e2286c324f0c9751ed5d9c46dfe2 100644 (file)
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/gc_via_tgt.c
  *
- * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -244,7 +244,8 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt,
            switch (err_reply->error) {
            case KRB_ERR_GENERIC:
                krb5_set_error_message(context, retval,
-                                      "KDC returned error string: %s",
+                                      "KDC returned error string: %.*s",
+                                      err_reply->text.length,
                                       err_reply->text.data);
                break;
            case KDC_ERR_S_PRINCIPAL_UNKNOWN: