kerberos_v4.c (process_v4): Check the length of the incoming V4 packet

	before copying it into the KTEXT_ST variable.

(kerberos_v4): Make sure the strings in the V4 request structures
	aren't no longer than they are allowed to be.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10402 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index bd26229ea6248b9d08645e77499d573f6a8c50e0..6420856b54de3fe502e319dca7284a4048f3c302 100644 (file)
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,10 @@
+Wed Feb  4 14:15:20 1998  Theodore Y. Ts'o  <tytso@mit.edu>
+
+       * kerberos_v4.c (process_v4): Check the length of the incoming V4
+               packet before copying it into the KTEXT_ST variable.
+               (kerberos_v4): Make sure the strings in the V4 request
+               structures aren't no longer than they are allowed to be.
+
 Wed Jan 28 08:56:07 1998  Ezra Peisach  <epeisach@mit.edu>
 
        * krb5kdc.M: Document V4 mode handling [krb5-kdc/464].

diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c
index 110eb5724cbcd50f9cba12d81e2f37c5c3f841b6..90ee6718a3fc0acb87ec2426fc091ac5418524af 100644 (file)
--- a/src/kdc/kerberos_v4.c
+++ b/src/kdc/kerberos_v4.c
@@ -94,7 +94,7 @@ static Principal a_name_data; /* for requesting user */
 static Principal s_name_data;  /* for services requested */
 static C_Block session_key;
 
-static char log_text[128];
+static char log_text[512];
 static char *lt;
 static int more;
 
@@ -217,6 +217,12 @@ krb5_data **resp;
     KTEXT_ST v4_pkt;
     char *lrealm;
 
+    /* Check if disabled completely */
+    if (kdc_v4 == KDC_V4_NONE) {
+       (void) klog(L_KRB_PERR, "Disabled KRB V4 request");
+       return KRB5KDC_ERR_BAD_PVNO;
+    }
+
     if ((retval = krb5_timeofday(kdc_context, (krb5_timestamp *) &kerb_time.tv_sec)))
         return(retval);
 
@@ -239,16 +245,13 @@ krb5_data **resp;
     /* convert v5 packet structure to v4's.
      * this copy is gross, but necessary:
      */
+    if (pkt->length > MAX_KTXT_LEN) {
+           (void) klog(L_KRB_PERR, "V4 request too long.");
+           return KRB5KRB_ERR_FIELD_TOOLONG;
+    }
     v4_pkt.length = pkt->length;
     memcpy( v4_pkt.dat, pkt->data, pkt->length);
 
-    /* Check if disabled completely */
-    if (kdc_v4 == KDC_V4_NONE) {
-       (void) klog(L_KRB_PERR,
-       "Disabled KRB V4 request");
-       return KRB5KDC_ERR_BAD_PVNO;
-    }
-
     kerberos_v4( &client_sockaddr, &v4_pkt);
     *resp = response;
     return(retval);
@@ -504,6 +507,21 @@ kerb_get_principal(name, inst, principal, maxn, more)
     *more = (int) more5 || (nprinc > maxn);
     return( nprinc);
 }
+
+static void str_length_check(str, max_size)
+       char    *str;
+       int     max_size;
+{
+       int     i;
+       char    *cp;
+
+       for (i=0, cp = str; i < max_size-1; i++, cp++) {
+               if (*cp == 0)
+                       return;
+       }
+       *cp = 0;
+}
+
 void
 kerberos_v4(client, pkt)
     struct sockaddr_in *client;
@@ -595,8 +613,11 @@ kerberos_v4(client, pkt)
 
            /* set up and correct for byte order and alignment */
            req_name_ptr = (char *) pkt_a_name(pkt);
+           str_length_check(req_name_ptr, ANAME_SZ);
            req_inst_ptr = (char *) pkt_a_inst(pkt);
+           str_length_check(req_inst_ptr, INST_SZ);
            req_realm_ptr = (char *) pkt_a_realm(pkt);
+           str_length_check(req_realm_ptr, REALM_SZ);
            memcpy(&req_time_ws, pkt_time_ws(pkt), sizeof(req_time_ws));
            /* time has to be diddled */
            if (swap_bytes) {
@@ -607,7 +628,9 @@ kerberos_v4(client, pkt)
            req_life = (u_long) (*ptr++);
 
            service = ptr;
+           str_length_check(service, SNAME_SZ);
            instance = ptr + strlen(service) + 1;
+           str_length_check(instance, INST_SZ);
 
            rpkt = &rpkt_st;
 
@@ -739,7 +762,9 @@ kerberos_v4(client, pkt)
            req_life = (u_long) (*ptr++);
 
            service = ptr;
+           str_length_check(service, SNAME_SZ);
            instance = ptr + strlen(service) + 1;
+           str_length_check(instance, INST_SZ);
 
            klog(L_APPL_REQ, "APPL Request %s.%s@%s on %s for %s.%s",
             ad->pname, ad->pinst, ad->prealm,