jaltman's principal-name check from 1.1 branch, indentation fixed
authorKen Raeburn <raeburn@mit.edu>
Wed, 1 Sep 1999 21:50:32 +0000 (21:50 +0000)
committerKen Raeburn <raeburn@mit.edu>
Wed, 1 Sep 1999 21:50:32 +0000 (21:50 +0000)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11776 dc483132-0cff-0310-8789-dd5450dbe970

src/appl/telnet/libtelnet/ChangeLog
src/appl/telnet/libtelnet/kerberos5.c

index c3a779a42fae3b861f4bb04c313cbf0ad7102c56..61e3fc8e317f12268b9db5c500617cd9128c8090 100644 (file)
@@ -1,3 +1,7 @@
+1999-08-31 17:28   Jeffrey Altman <jaltman@columbia.edu>
+
+        * kerberos5.c: Ensure that only "host" service tickets are accepted.
+
 Wed Feb  3 22:59:27 1999  Theodore Y. Ts'o  <tytso@mit.edu>
 
        * kerberos5.c: Increase size of str_data so that we can accept
index 73b2c8780f511e0acb9cd2736791aab9d63ec8fc..3fa9ca43b4a4b97d19a9ae323dcd826a49753401 100644 (file)
@@ -377,7 +377,7 @@ kerberos5_is(ap, data, cnt)
 #ifdef ENCRYPTION
        Session_Key skey;
 #endif
-       char errbuf[128];
+       char errbuf[320];
        char *name;
        char *getenv();
        krb5_data inbuf;
@@ -423,6 +423,29 @@ kerberos5_is(ap, data, cnt)
                        (void) strcat(errbuf, error_message(r));
                        goto errout;
                }
+
+               /*
+                * 256 bytes should be much larger than any reasonable
+                * first component of a service name especially since
+                * the default is of length 4.
+                */
+               if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) {
+                   char princ[256];
+                   strncpy(princ,      
+                           krb5_princ_component(telnet_context, ticket->server,0)->data,
+                           krb5_princ_component(telnet_context, ticket->server,0)->length);
+                   princ[krb5_princ_component(telnet_context, 
+                                              ticket->server,0)->length] = '\0';
+                   if (strcmp("host", princ)) {
+                       (void) sprintf(errbuf, "incorrect service name: \"%s\" != \"%s\"",
+                                      princ, "host");
+                       goto errout;
+                   }
+               } else {
+                   (void) strcpy(errbuf, "service name too long");
+                   goto errout;
+               }
+
                r = krb5_auth_con_getauthenticator(telnet_context,
                                                   auth_context,
                                                   &authenticator);
@@ -557,7 +580,7 @@ kerberos5_is(ap, data, cnt)
        
     errout:
        {
-           char eerrbuf[128+9];
+           char eerrbuf[329];
 
            strcpy(eerrbuf, "telnetd: ");
            strcat(eerrbuf, errbuf);