From: Tom Yu <tlyu@mit.edu>
Date: Fri, 20 Mar 1998 22:14:15 +0000 (+0000)
Subject: 	* kdc_util.c (add_to_transited): Check lengths, fix up comma
X-Git-Tag: krb5-1.1-beta1~771
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=32ec08da243443fd9cc6919aa183bbc678d0586d;p=krb5.git

	* kdc_util.c (add_to_transited): Check lengths, fix up comma
	quoting somewhat (though things are still way broken).

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10502 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index eaab61b0e..ce3fc0f27 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,8 @@
+Fri Mar 20 17:13:46 1998  Tom Yu  <tlyu@mit.edu>
+
+	* kdc_util.c (add_to_transited): Check lengths, fix up comma
+	quoting somewhat (though things are still way broken).
+
 Fri Feb 20 15:58:21 1998  Theodore Y. Ts'o  <tytso@mit.edu>
 
 	* kdc_preauth.c (get_preauth_hint_list): Don't add the pseudo
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index ac969841a..863ffd19c 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -537,6 +537,7 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
     krb5_principal client;
     krb5_principal server;
 {
+  krb5_error_code retval;
   char        *realm;
   char        *trans;
   char        *otrans, *otrans_ptr;
@@ -548,6 +549,7 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
   char        current[MAX_REALM_LN];
   char        exp[MAX_REALM_LN];      /* Expanded current realm name     */
 
+  int	      i;
   int         clst, nlst;    /* count of last character in current and next */
   int         pl, pl1;       /* prefix length                               */
   int         added;         /* TRUE = new realm has been added             */
@@ -572,9 +574,8 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
      +1 for extra comma which may be added between
      +1 for potential space when leading slash in realm */
   if (!(trans = (char *) malloc(strlen(realm) + strlen(otrans) + 3))) {
-    free(realm);
-    free(otrans_ptr);
-    return(ENOMEM);
+    retval = ENOMEM;
+    goto fail;
   }
 
   if (new_trans->data)  free(new_trans->data);
@@ -588,18 +589,25 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
 
   prev[0] = '\0';
 
-  /***** In next statement, need to keep reading if the , was quoted *****/
   /* read field into current */
-
-  if (sscanf(otrans, "%[^,]", current) == 1) {
-    otrans += strlen(current);
-  }
-  else {
-    current[0] = '\0';
+  for (i = 0; *otrans != '\0';) {
+    if (*otrans == '\\')
+      if (*(++otrans) == '\0')
+	break;
+      else
+	continue;
+    if (*otrans == ',') {
+      otrans++;
+      break;
+    }
+    current[i++] = *otrans++;
+    if (i >= MAX_REALM_LN) {
+      retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+      goto fail;
+    }
   }
+  current[i] = '\0';
 
-  if (otrans[0] == ',')  otrans++;
-             
   added = (krb5_princ_realm(kdc_context, client)->length == strlen(realm) &&
            !strncmp(krb5_princ_realm(kdc_context, client)->data, realm, strlen(realm))) ||
           (krb5_princ_realm(kdc_context, server)->length == strlen(realm) &&
@@ -615,29 +623,43 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
     }
     else if ((current[0] == '/') && (prev[0] == '/')) {
       strcpy(exp, prev);
+      if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) {
+	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	goto fail;
+      }
       strcat(exp, current);
     }
     else if (current[clst] == '.') {
       strcpy(exp, current);
+      if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) {
+	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	goto fail;
+      }
       strcat(exp, prev);
     }
     else {
       strcpy(exp, current);
     }
 
-    /***** next statement, need to keep reading if the , was quoted *****/
     /* read field into next */
-
-    if (sscanf(otrans, "%[^,]", next) == 1) {
-      otrans += strlen(next);
-      nlst    = strlen(next) - 1;
-    }
-    else {
-      next[0] = '\0';
-      nlst    = 0;
+    for (i = 0; *otrans != '\0';) {
+      if (*otrans == '\\')
+	if (*(++otrans) == '\0')
+	  break;
+	else
+	  continue;
+      if (*otrans == ',') {
+	otrans++;
+	break;
+      }
+      next[i++] = *otrans++;
+      if (i >= MAX_REALM_LN) {
+	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	goto fail;
+      }
     }
-
-    if (otrans[0] == ',')  otrans++;
+    next[i] = '\0';
+    nlst = i - 1;
 
     if (!strcmp(exp, realm))  added = TRUE;
 
@@ -658,6 +680,10 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
       if ((next[nlst] != '.') && (next[0] != '/') &&
           (pl = subrealm(exp, realm))) {
         added = TRUE;
+	if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) {
+	  retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	  goto fail;
+	}
         strcat(current, ",");
         if (pl > 0) {
           strncat(current, realm, pl);
@@ -681,6 +707,10 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
         added      = TRUE;
         current[0] = '\0';
         if ((pl1 = subrealm(prev,realm))) {
+	  if (strlen(current) + (pl1>0?pl1:-pl1) + 1 >= MAX_REALM_LN) {
+	    retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	    goto fail;
+	  }
           if (pl1 > 0) {
             strncat(current, realm, pl1);
           }
@@ -690,10 +720,22 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
         }
         else { /* If not a subrealm */
           if ((realm[0] == '/') && prev[0]) {
-            strcat(current, " ");
+	    if (strlen(current) + 2 >= MAX_REALM_LN) {
+	      retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	      goto fail;
+	    }
+	    strcat(current, " ");
           }
+	  if (strlen(current) + strlen(realm) + 1 >= MAX_REALM_LN) {
+	    retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	    goto fail;
+	  }
           strcat(current, realm);
         }
+	if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) {
+	  retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	  goto fail;
+	}
         strcat(current,",");
         if (pl > 0) {
           strncat(current, exp, pl);
@@ -704,7 +746,17 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
       }
     }
 
-    if (new_trans->length != 0)  strcat(trans, ",");
+    if (new_trans->length != 0) {
+      if (strlen(trans) + 2 >= MAX_REALM_LN) {
+	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	goto fail;
+      }
+      strcat(trans, ",");
+    }
+    if (strlen(trans) + strlen(current) + 1 >= MAX_REALM_LN) {
+      retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+      goto fail;
+    }
     strcat(trans, current);
     new_trans->length = strlen(trans) + 1;
 
@@ -713,15 +765,33 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
   }
 
   if (!added) {
-    if (new_trans->length != 0)  strcat(trans, ",");
-    if((realm[0] == '/') && trans[0])  strcat(trans, " ");
+    if (new_trans->length != 0) {
+      if (strlen(trans) + 2 >= MAX_REALM_LN) {
+	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	goto fail;
+      }
+      strcat(trans, ",");
+    }
+    if((realm[0] == '/') && trans[0]) {
+      if (strlen(trans) + 2 >= MAX_REALM_LN) {
+	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	goto fail;
+      }
+      strcat(trans, " ");
+    }
+    if (strlen(trans) + strlen(realm) + 1 >= MAX_REALM_LN) {
+      retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+      goto fail;
+    }
     strcat(trans, realm);
     new_trans->length = strlen(trans) + 1;
   }
 
+  retval = 0;
+fail:
   free(realm);
   free(otrans_ptr);
-  return(0);
+  return (retval);
 }
 
 /*