From: Ken Raeburn Date: Fri, 18 Apr 2008 19:31:47 +0000 (+0000) Subject: fix possible buffer overrun in handling generic-error return X-Git-Tag: krb5-1.7-alpha1~696 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=526cd36b7634be742ba666bdb396d2c5844361e4;p=krb5.git fix possible buffer overrun in handling generic-error return Jeff Altman reported this, based on a crash seen in KfW in the wild. The krb5_data handle used to describe the message field returned by the KDC is not null-terminated, but we use a "%s" format to incorporate it into an error message string. In the right circumstances, garbage bytes can be pulled into the string, or a memory fault may result. However, as this is in the error-reporting part of the client-side code for fetching new credentials, it's a relatively minor DoS attack only, not a serious security exposure. Should be fixed in the next releases, though. ticket: new target_version: 1.6.5 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20304 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index 518d0244b..7ecd2813d 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/gc_via_tgt.c * - * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -244,7 +244,8 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, switch (err_reply->error) { case KRB_ERR_GENERIC: krb5_set_error_message(context, retval, - "KDC returned error string: %s", + "KDC returned error string: %.*s", + err_reply->text.length, err_reply->text.data); break; case KDC_ERR_S_PRINCIPAL_UNKNOWN: