* an_to_ln.c (krb5_aname_to_localname): Don't write one byte past

	the end of a string.  Found by Christopher Nebergall.

ticket: 2024
component: krb5-libs
version_reported: 1.3.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15895 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog
index 017b9ae7e6d6e400783d0c9d948dc57c23add4ae..7895b7c689953b9433a62131fdf6f932e8ae34ef 100644 (file)
--- a/src/lib/krb5/os/ChangeLog
+++ b/src/lib/krb5/os/ChangeLog
@@ -1,3 +1,8 @@
+2003-12-12  Tom Yu  <tlyu@mit.edu>
+
+       * an_to_ln.c (krb5_aname_to_localname): Don't write one byte past
+       the end of a string.  Found by Christopher Nebergall.
+
 2003-10-27  Jeffrey Altman <jaltman@mit.edu>
 
     * sendto_kdc.c: sockets must be closed with closesocket() and 

diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c
index 426399e1484d8a4b1809d485c358fac1113849c4..c42b821428947f7a6c7964a02eb64798713d24fb 100644 (file)
--- a/src/lib/krb5/os/an_to_ln.c
+++ b/src/lib/krb5/os/an_to_ln.c
@@ -643,7 +643,7 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, const
     const char         *hierarchy[5];
     char               **mapping_values;
     int                        i, nvalid;
-    char               *cp;
+    char               *cp, *s;
     char               *typep, *argp;
     unsigned int        lnsize;
 
@@ -677,11 +677,14 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, const
 
                    /* Just use the last one. */
                    /* Trim the value. */
-                   cp = &mapping_values[nvalid-1]
-                       [strlen(mapping_values[nvalid-1])];
-                   while (isspace((int) (*cp))) cp--;
-                   cp++;
-                   *cp = '\0';
+                   s = mapping_values[nvalid-1];
+                   cp = s + strlen(s);
+                   while (cp > s) {
+                       cp--;
+                       if (!isspace((int)(*cp)))
+                           break;
+                       *cp = '\0';
+                   }
 
                    /* Copy out the value if there's enough room */
                    if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize)