From 6772cbcb5be8aa088e5bcfbe1db78edb83fd07d7 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Wed, 1 Sep 1999 21:50:32 +0000
Subject: [PATCH] jaltman's principal-name check from 1.1 branch, indentation
 fixed

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11776 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/appl/telnet/libtelnet/ChangeLog   |  4 ++++
 src/appl/telnet/libtelnet/kerberos5.c | 27 +++++++++++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog
index c3a779a42..61e3fc8e3 100644
--- a/src/appl/telnet/libtelnet/ChangeLog
+++ b/src/appl/telnet/libtelnet/ChangeLog
@@ -1,3 +1,7 @@
+1999-08-31 17:28   Jeffrey Altman <jaltman@columbia.edu>
+
+        * kerberos5.c: Ensure that only "host" service tickets are accepted.
+
 Wed Feb  3 22:59:27 1999  Theodore Y. Ts'o  <tytso@mit.edu>
 
 	* kerberos5.c: Increase size of str_data so that we can accept
diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c
index 73b2c8780..3fa9ca43b 100644
--- a/src/appl/telnet/libtelnet/kerberos5.c
+++ b/src/appl/telnet/libtelnet/kerberos5.c
@@ -377,7 +377,7 @@ kerberos5_is(ap, data, cnt)
 #ifdef ENCRYPTION
 	Session_Key skey;
 #endif
-	char errbuf[128];
+	char errbuf[320];
 	char *name;
 	char *getenv();
 	krb5_data inbuf;
@@ -423,6 +423,29 @@ kerberos5_is(ap, data, cnt)
 			(void) strcat(errbuf, error_message(r));
 			goto errout;
 		}
+
+		/*
+		 * 256 bytes should be much larger than any reasonable
+		 * first component of a service name especially since
+		 * the default is of length 4.
+		 */
+		if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) {
+		    char princ[256];
+		    strncpy(princ,	
+			    krb5_princ_component(telnet_context, ticket->server,0)->data,
+			    krb5_princ_component(telnet_context, ticket->server,0)->length);
+		    princ[krb5_princ_component(telnet_context, 
+					       ticket->server,0)->length] = '\0';
+		    if (strcmp("host", princ)) {
+			(void) sprintf(errbuf, "incorrect service name: \"%s\" != \"%s\"",
+				       princ, "host");
+			goto errout;
+		    }
+		} else {
+		    (void) strcpy(errbuf, "service name too long");
+		    goto errout;
+		}
+
 		r = krb5_auth_con_getauthenticator(telnet_context,
 						   auth_context,
 						   &authenticator);
@@ -557,7 +580,7 @@ kerberos5_is(ap, data, cnt)
 	
     errout:
 	{
-	    char eerrbuf[128+9];
+	    char eerrbuf[329];
 
 	    strcpy(eerrbuf, "telnetd: ");
 	    strcat(eerrbuf, errbuf);
-- 
2.26.2