* realmofhost.c (krb_realmofhost): Add bounds checking to various

	things.

	* g_krbhst.c (krb_get_krbhst): Fix to bound fscanf and sscanf.

	* g_krbrlm.c (krb_get_lrealm): Fix to bound fscanf.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10066 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog
index d00a26da84e17cd4838726d835812bca4a5f49f3..a8911e511d1d3577fc428b541000a8abd7b137f5 100644 (file)
--- a/src/lib/krb4/ChangeLog
+++ b/src/lib/krb4/ChangeLog
@@ -1,3 +1,12 @@
+Wed Apr  9 23:15:39 1997  Tom Yu  <tlyu@mit.edu>
+
+       * realmofhost.c (krb_realmofhost): Add bounds checking to various
+       things.
+
+       * g_krbhst.c (krb_get_krbhst): Fix to bound fscanf and sscanf.
+
+       * g_krbrlm.c (krb_get_lrealm): Fix to bound fscanf.
+
 Sat Feb 22 19:02:08 1997  Richard Basch  <basch@lehman.com>
 
        * Makefile.in: Use some of the new library list build rules in

diff --git a/src/lib/krb4/g_krbhst.c b/src/lib/krb4/g_krbhst.c
index c95abdb20771c5bd49d91d465be284d35bced00a..529ac07694932ba3b7c5b12e3bc391e8fbbdf608 100644 (file)
--- a/src/lib/krb4/g_krbhst.c
+++ b/src/lib/krb4/g_krbhst.c
@@ -75,7 +75,7 @@ krb_get_krbhst(h,r,n)
     cnffile = krb__get_cnffile();
     if (!cnffile)
         return get_krbhst_default(h, r, n);
-    if (fscanf(cnffile,"%s",tr) == EOF)
+    if (fscanf(cnffile,"%39s",tr) == EOF) /* XXX assumes REALM_SZ == 40 */
         return get_krbhst_default(h, r, n);
     /* run through the file, looking for the nth server for this realm */
     for (i = 1; i <= n;) {
@@ -83,7 +83,7 @@ krb_get_krbhst(h,r,n)
             (void) fclose(cnffile);
             return get_krbhst_default(h, r, n);
         }
-       if (sscanf(linebuf, "%s %s", tr, h) != 2)
+       if (sscanf(linebuf, "%39s %1023s", tr, h) != 2) /* REALM_SZ == 40 */
            continue;
         if (!strcmp(tr,r))
             i++;

diff --git a/src/lib/krb4/g_krbrlm.c b/src/lib/krb4/g_krbrlm.c
index c6f9345856cd713d7b0cd9bf2f5cb047e414f710..983150ce40390e9f38668d327ff8f4a36d36ca70 100644 (file)
--- a/src/lib/krb4/g_krbrlm.c
+++ b/src/lib/krb4/g_krbrlm.c
@@ -51,7 +51,11 @@ krb_get_lrealm(r,n)
            return(KFAILURE);
     }
 
-    if (fscanf(cnffile,"%s",r) != 1) {
+    /*
+     * XXX This assumes REALM_SZ == 40,
+     * and that r is 40 characters long.
+     */
+    if (fscanf(cnffile,"%39s",r) != 1) {
         (void) fclose(cnffile);
         return(KFAILURE);
     }

diff --git a/src/lib/krb4/realmofhost.c b/src/lib/krb4/realmofhost.c
index 73af92931de95f12c912ed1606edf5598cd53f70..b15ce94147428978e077cc81c41e75f2612d8c60 100644 (file)
--- a/src/lib/krb4/realmofhost.c
+++ b/src/lib/krb4/realmofhost.c
@@ -44,12 +44,16 @@ static char ret_realm[REALM_SZ+1];
 
 KRB5_DLLIMP char FAR * KRB5_CALLCONV
 krb_realmofhost(host)
-char FAR *host;
+    char FAR *host;
 {
        char *domain;
        FILE *trans_file;
        FILE *krb__get_realmsfile();
-       char trans_host[MAXHOSTNAMELEN+1];
+       /*
+        * This used to be MAXHOSTNAMELEN, but we don't know how big
+        * that will necessarily be on all systems, so assume 1024.
+        */
+       char trans_host[1024];
        char trans_realm[REALM_SZ+1];
        int retval;
        struct hostent *h;
@@ -112,24 +116,28 @@ char FAR *host;
 
        /* loop while not exact match, and more entries to read */
        while (1) {
-               if ((retval = fscanf(trans_file, "%s %s",
+               /* XXX REALM_SZ == 40 */
+               if ((retval = fscanf(trans_file, "%1023s %40s",
                                     trans_host, trans_realm)) != 2) {
                        if (retval == EOF)
                          break;
                        continue;       /* ignore broken lines */
                }
-               trans_host[MAXHOSTNAMELEN] = '\0';
+               trans_host[(MAXHOSTNAMELEN <= 1023) ? MAXHOSTNAMELEN : 1023]
+                       = '\0';
                trans_realm[REALM_SZ] = '\0';
                if (trans_host[0] == '.') {
                  /* want domain match only */
-                 if (domain && !strcasecmp (trans_host, domain)) {
+                 if (domain && (strlen(trans_host) == strlen(domain))
+                     && !strcasecmp (trans_host, domain)) {
                    /* got domain match, save for later */
                    (void) strcpy (ret_realm, trans_realm);
                    continue;
                  }
                } else {
                  /* want exact match of hostname */
-                 if (!strcasecmp (trans_host, lhost)) {
+                 if ((strlen(lhost) == strlen(trans_host)) &&
+                     !strcasecmp (trans_host, lhost)) {
                    (void) strcpy (ret_realm, trans_realm);
                    break;
                  }