In krb5_pac_parse, change the code around a bit to avoid harmlessly
authorGreg Hudson <ghudson@mit.edu>
Fri, 23 Jan 2009 18:41:39 +0000 (18:41 +0000)
committerGreg Hudson <ghudson@mit.edu>
Fri, 23 Jan 2009 18:41:39 +0000 (18:41 +0000)
copying an uninitialized Buffers field of a PACTYPE structure.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21788 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/pac.c

index 3cfc188c517b6522dc8b128279bc2e03656c8ec1..fb5f597a60ff22addaa1d2814ae24b37515345c2 100644 (file)
@@ -307,25 +307,25 @@ krb5_pac_parse(krb5_context context,
 {
     krb5_error_code ret;
     size_t i;
-    PACTYPE header;
     const unsigned char *p = (const unsigned char *)ptr;
     krb5_pac pac;
     size_t header_len;
+    krb5_ui_4 cbuffers, version;
 
     *ppac = NULL;
 
     if (len < PACTYPE_LENGTH)
        return ERANGE;
 
-    header.cBuffers = load_32_le(p);
+    cbuffers = load_32_le(p);
     p += 4;
-    header.Version = load_32_le(p);
+    version = load_32_le(p);
     p += 4;
 
-    if (header.Version != 0)
+    if (version != 0)
        return EINVAL;
 
-    header_len = PACTYPE_LENGTH + (header.cBuffers * PAC_INFO_BUFFER_LENGTH);
+    header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
     if (len < header_len)
        return ERANGE;
 
@@ -334,13 +334,14 @@ krb5_pac_parse(krb5_context context,
        return ret;
 
     pac->pac = (PACTYPE *)realloc(pac->pac,
-       sizeof(PACTYPE) + ((header.cBuffers - 1) * sizeof(PAC_INFO_BUFFER)));
+       sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER)));
     if (pac->pac == NULL) {
        krb5_pac_free(context, pac);
        return ENOMEM;
     }
 
-    memcpy(pac->pac, &header, sizeof(header));
+    pac->pac->cBuffers = cbuffers;
+    pac->pac->Version = version;
 
     for (i = 0; i < pac->pac->cBuffers; i++) {
        PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i];