From: Greg Hudson Date: Fri, 23 Jan 2009 18:41:39 +0000 (+0000) Subject: In krb5_pac_parse, change the code around a bit to avoid harmlessly X-Git-Tag: krb5-1.7-alpha1~42 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=a9ae59f02a18b8a338af44ff3e561eafc2104bca;p=krb5.git In krb5_pac_parse, change the code around a bit to avoid harmlessly copying an uninitialized Buffers field of a PACTYPE structure. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21788 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 3cfc188c5..fb5f597a6 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -307,25 +307,25 @@ krb5_pac_parse(krb5_context context, { krb5_error_code ret; size_t i; - PACTYPE header; const unsigned char *p = (const unsigned char *)ptr; krb5_pac pac; size_t header_len; + krb5_ui_4 cbuffers, version; *ppac = NULL; if (len < PACTYPE_LENGTH) return ERANGE; - header.cBuffers = load_32_le(p); + cbuffers = load_32_le(p); p += 4; - header.Version = load_32_le(p); + version = load_32_le(p); p += 4; - if (header.Version != 0) + if (version != 0) return EINVAL; - header_len = PACTYPE_LENGTH + (header.cBuffers * PAC_INFO_BUFFER_LENGTH); + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); if (len < header_len) return ERANGE; @@ -334,13 +334,14 @@ krb5_pac_parse(krb5_context context, return ret; pac->pac = (PACTYPE *)realloc(pac->pac, - sizeof(PACTYPE) + ((header.cBuffers - 1) * sizeof(PAC_INFO_BUFFER))); + sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER))); if (pac->pac == NULL) { krb5_pac_free(context, pac); return ENOMEM; } - memcpy(pac->pac, &header, sizeof(header)); + pac->pac->cBuffers = cbuffers; + pac->pac->Version = version; for (i = 0; i < pac->pac->cBuffers; i++) { PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i];