From: Ken Raeburn <raeburn@mit.edu>
Date: Thu, 25 Jan 2001 23:52:14 +0000 (+0000)
Subject: more afsstring2key unterminated-input checks & fixes
X-Git-Tag: krb5-1.3-alpha1~1688
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=a82bd0233e9f85b6c9d071d10dd6ce45c19625dd;p=krb5.git

more afsstring2key unterminated-input checks & fixes

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12945 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/crypto/des/afsstring2key.c b/src/lib/crypto/des/afsstring2key.c
index 59417d5bf..5cd380ae4 100644
--- a/src/lib/crypto/des/afsstring2key.c
+++ b/src/lib/crypto/des/afsstring2key.c
@@ -96,7 +96,9 @@ mit_afs_string_to_key (keyblock, data, salt)
 	if (password[i] == '\0')
 	  password[i] = 'X';
       password[8] = '\0';
-      strncpy(key, (char *) afs_crypt(password, "#~", afs_crypt_buf) + 2, 8);
+      strncpy(key,
+	      (char *) afs_crypt(password, "#~"/*"p1"*/, afs_crypt_buf) + 2,
+	      8);
       for (i=0; i<8; i++)
 	key[i] <<= 1;
       /* now fix up key parity again */
@@ -112,7 +114,7 @@ mit_afs_string_to_key (keyblock, data, salt)
 
       /* some bound checks from the original code are elided here as
 	 the malloc above makes sure we have enough storage. */
-      strcpy (password, data->data);
+      memcpy (password, data->data, data->length);
       for (i=data->length, j = 0; j < salt->length; i++, j++) {
 	password[i] = realm[j];
 	if (isupper(password[i]))
diff --git a/src/lib/crypto/des/t_afss2k.c b/src/lib/crypto/des/t_afss2k.c
index ba59e1ac4..851465006 100644
--- a/src/lib/crypto/des/t_afss2k.c
+++ b/src/lib/crypto/des/t_afss2k.c
@@ -44,6 +44,11 @@ struct test_case test_cases[] = {
 		}
 	},
 	{
+		/* This one intentionally supplies a length shorter
+		   than the string.  The point of this is to ensure
+		   that s[len] is not zero, so that anything actually
+		   relying on that value (i.e., reading out of bounds)
+		   should generate incorrect results.  */
 		"NaCl2", 4,
 		{
 			{ 0x61, 0xef, 0xe6, 0x83, 0xe5, 0x8a, 0x6b, 0x98 },
@@ -83,6 +88,7 @@ do_it (struct test_case *tcase)
 	krb5_keyblock key;
 	krb5_error_code err;
 	int i;
+	unsigned char longpass[2048];
 
 	key.contents = keydata;
 	key.length = sizeof (keydata);
@@ -109,4 +115,19 @@ do_it (struct test_case *tcase)
 		if (memcmp (tcase->keys[i], keydata, 8) != 0)
 			abort ();
 	}
+
+	memset (longpass, '!', sizeof (longpass));
+	longpass[sizeof (longpass)-1] = '\0';
+	memcpy (longpass, "My Password", strlen ("My Password"));
+	passwd.data = longpass;
+	for (i = 0; i < 12; i++) {
+		passwd.length = i;
+		err = mit_afs_string_to_key (&key, &passwd, &salt);
+		if (err != 0) {
+			com_err (me, err, "");
+			exit (1);
+		}
+		if (memcmp (tcase->keys[i], keydata, 8) != 0)
+			abort ();
+	}
 }