krb5_kt_get_name() allows the called to specify the size of the buffer to copy
the name into. The size must be big enough for the tailing nul character.
If one specified a buffer length that is precisely the strlen w/o allowing for
the nul - the functions would copy one past the end of the buffer.
No code in our tree would be subject this problem - as buffers in use are 1024
or BUFSIZ....
The logic failure was:
strlen(p+1) vs. strlen(p)+1
The code is essentially duplicated in the three changed files.
Ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19137
dc483132-0cff-0310-8789-
dd5450dbe970
name++;
len -= strlen(id->ops->prefix)+1;
- if (len < strlen(KTFILENAME(id)+1))
+ if (len < strlen(KTFILENAME(id))+1)
return(KRB5_KT_NAME_TOOLONG);
strcpy(name, KTFILENAME(id));
/* strcpy will NUL-terminate the destination */
name++;\r
len -= strlen(id->ops->prefix)+1;\r
\r
- if (len < strlen(KTNAME(id)+1))\r
+ if (len < strlen(KTNAME(id))+1)\r
return(KRB5_KT_NAME_TOOLONG);\r
strcpy(name, KTNAME(id));\r
/* strcpy will NUL-terminate the destination */\r
name++;
len -= strlen(id->ops->prefix)+1;
- if (len < strlen(KTFILENAME(id)+1))
+ if (len < strlen(KTFILENAME(id))+1)
return(KRB5_KT_NAME_TOOLONG);
strcpy(name, KTFILENAME(id));
/* strcpy will NUL-terminate the destination */
projects / krb5.git / commitdiff