From 605c7645d316bb591aaad9a1911d0c3c68032272 Mon Sep 17 00:00:00 2001
From: Ezra Peisach <epeisach@mit.edu>
Date: Thu, 1 Feb 2007 19:17:31 +0000
Subject: [PATCH] buffer overflow in krb5_kt_get_name

krb5_kt_get_name() allows the called to specify the size of the buffer to copy
the name into. The size must be big enough for the tailing nul character.

If one specified a buffer length that is precisely the strlen w/o allowing for
the nul - the functions would copy one past the end of the buffer.

No code in our tree would be subject this problem - as buffers in use are 1024
or BUFSIZ....

The logic failure was:

strlen(p+1) vs. strlen(p)+1

The code is essentially duplicated in the three changed files.

Ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19137 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/keytab/kt_file.c   | 2 +-
 src/lib/krb5/keytab/kt_memory.c | 2 +-
 src/lib/krb5/keytab/kt_srvtab.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 92947d593..fe44ff65e 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -408,7 +408,7 @@ krb5_ktfile_get_name(krb5_context context, krb5_keytab id, char *name, unsigned
     name++;
     len -= strlen(id->ops->prefix)+1;
 
-    if (len < strlen(KTFILENAME(id)+1))
+    if (len < strlen(KTFILENAME(id))+1)
 	return(KRB5_KT_NAME_TOOLONG);
     strcpy(name, KTFILENAME(id));
     /* strcpy will NUL-terminate the destination */
diff --git a/src/lib/krb5/keytab/kt_memory.c b/src/lib/krb5/keytab/kt_memory.c
index 76aa31cbf..f30c7d7b5 100644
--- a/src/lib/krb5/keytab/kt_memory.c
+++ b/src/lib/krb5/keytab/kt_memory.c
@@ -472,7 +472,7 @@ krb5_mkt_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int
     name++;
     len -= strlen(id->ops->prefix)+1;
 
-    if (len < strlen(KTNAME(id)+1))
+    if (len < strlen(KTNAME(id))+1)
 	return(KRB5_KT_NAME_TOOLONG);
     strcpy(name, KTNAME(id));
     /* strcpy will NUL-terminate the destination */
diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c
index cb9d9c1bc..d96cf1661 100644
--- a/src/lib/krb5/keytab/kt_srvtab.c
+++ b/src/lib/krb5/keytab/kt_srvtab.c
@@ -266,7 +266,7 @@ krb5_ktsrvtab_get_name(krb5_context context, krb5_keytab id, char *name, unsigne
     name++;
     len -= strlen(id->ops->prefix)+1;
 
-    if (len < strlen(KTFILENAME(id)+1))
+    if (len < strlen(KTFILENAME(id))+1)
 	return(KRB5_KT_NAME_TOOLONG);
     strcpy(name, KTFILENAME(id));
     /* strcpy will NUL-terminate the destination */
-- 
2.26.2