From 31a19646b08927959914de5fb295aa9355e7dd38 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 26 Jun 2007 18:29:52 +0000 Subject: [PATCH] pull up r19637 from trunk r19637@cathode-dark-space: tlyu | 2007-06-26 14:08:35 -0400 ticket: new target_version: 1.6.2 tags: pullup subject: fix MITKRB5-SA-2007-005 [CVE-2007-2798/VU#554257] Truncate the principal names when logging a rename operation to avoid a stack buffer overflow. ticket: 5586 version_fixed: 1.6.2 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19639 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/server/server_stubs.c | 34 ++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index cf823984f..f09154045 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -545,13 +545,14 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) static generic_ret ret; char *prime_arg1, *prime_arg2; - char prime_arg[BUFSIZ]; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; char *errmsg; + size_t tlen1, tlen2, clen, slen; + char *tdots1, *tdots2, *cdots, *sdots; xdr_free(xdr_generic_ret, &ret); @@ -572,7 +573,14 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } - sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); + tlen1 = strlen(prime_arg1); + trunc_name(&tlen1, &tdots1); + tlen2 = strlen(prime_arg2); + trunc_name(&tlen2, &tdots2); + clen = client_name.length; + trunc_name(&clen, &cdots); + slen = service_name.length; + trunc_name(&slen, &sdots); ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { @@ -590,8 +598,15 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { - log_unauth("kadm5_rename_principal", prime_arg, - &client_name, &service_name, rqstp); + krb5_klog_syslog(LOG_NOTICE, + "Unauthorized request: kadm5_rename_principal, " + "%.*s%s to %.*s%s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + tlen1, prime_arg1, tdots1, + tlen2, prime_arg2, tdots2, + clen, client_name.value, cdots, + slen, service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); @@ -600,8 +615,15 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - log_done("kadm5_rename_principal", prime_arg, errmsg, - &client_name, &service_name, rqstp); + krb5_klog_syslog(LOG_NOTICE, + "Request: kadm5_rename_principal, " + "%.*s%s to %.*s%s, %s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + tlen1, prime_arg1, tdots1, + tlen2, prime_arg2, tdots2, errmsg, + clen, client_name.value, cdots, + slen, service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); free(prime_arg1); -- 2.26.2