From 86bceb3421c22135fc8309a0a03c3fbfa691a1fe Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Thu, 5 Feb 1998 00:03:04 +0000 Subject: [PATCH] kerberos_v4.c (process_v4): Check the length of the incoming V4 packet before copying it into the KTEXT_ST variable. (kerberos_v4): Make sure the strings in the V4 request structures aren't no longer than they are allowed to be. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10402 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/ChangeLog | 7 +++++++ src/kdc/kerberos_v4.c | 41 +++++++++++++++++++++++++++++++++-------- 2 files changed, 40 insertions(+), 8 deletions(-) diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index bd26229ea..6420856b5 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,10 @@ +Wed Feb 4 14:15:20 1998 Theodore Y. Ts'o + + * kerberos_v4.c (process_v4): Check the length of the incoming V4 + packet before copying it into the KTEXT_ST variable. + (kerberos_v4): Make sure the strings in the V4 request + structures aren't no longer than they are allowed to be. + Wed Jan 28 08:56:07 1998 Ezra Peisach * krb5kdc.M: Document V4 mode handling [krb5-kdc/464]. diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c index 110eb5724..90ee6718a 100644 --- a/src/kdc/kerberos_v4.c +++ b/src/kdc/kerberos_v4.c @@ -94,7 +94,7 @@ static Principal a_name_data; /* for requesting user */ static Principal s_name_data; /* for services requested */ static C_Block session_key; -static char log_text[128]; +static char log_text[512]; static char *lt; static int more; @@ -217,6 +217,12 @@ krb5_data **resp; KTEXT_ST v4_pkt; char *lrealm; + /* Check if disabled completely */ + if (kdc_v4 == KDC_V4_NONE) { + (void) klog(L_KRB_PERR, "Disabled KRB V4 request"); + return KRB5KDC_ERR_BAD_PVNO; + } + if ((retval = krb5_timeofday(kdc_context, (krb5_timestamp *) &kerb_time.tv_sec))) return(retval); @@ -239,16 +245,13 @@ krb5_data **resp; /* convert v5 packet structure to v4's. * this copy is gross, but necessary: */ + if (pkt->length > MAX_KTXT_LEN) { + (void) klog(L_KRB_PERR, "V4 request too long."); + return KRB5KRB_ERR_FIELD_TOOLONG; + } v4_pkt.length = pkt->length; memcpy( v4_pkt.dat, pkt->data, pkt->length); - /* Check if disabled completely */ - if (kdc_v4 == KDC_V4_NONE) { - (void) klog(L_KRB_PERR, - "Disabled KRB V4 request"); - return KRB5KDC_ERR_BAD_PVNO; - } - kerberos_v4( &client_sockaddr, &v4_pkt); *resp = response; return(retval); @@ -504,6 +507,21 @@ kerb_get_principal(name, inst, principal, maxn, more) *more = (int) more5 || (nprinc > maxn); return( nprinc); } + +static void str_length_check(str, max_size) + char *str; + int max_size; +{ + int i; + char *cp; + + for (i=0, cp = str; i < max_size-1; i++, cp++) { + if (*cp == 0) + return; + } + *cp = 0; +} + void kerberos_v4(client, pkt) struct sockaddr_in *client; @@ -595,8 +613,11 @@ kerberos_v4(client, pkt) /* set up and correct for byte order and alignment */ req_name_ptr = (char *) pkt_a_name(pkt); + str_length_check(req_name_ptr, ANAME_SZ); req_inst_ptr = (char *) pkt_a_inst(pkt); + str_length_check(req_inst_ptr, INST_SZ); req_realm_ptr = (char *) pkt_a_realm(pkt); + str_length_check(req_realm_ptr, REALM_SZ); memcpy(&req_time_ws, pkt_time_ws(pkt), sizeof(req_time_ws)); /* time has to be diddled */ if (swap_bytes) { @@ -607,7 +628,9 @@ kerberos_v4(client, pkt) req_life = (u_long) (*ptr++); service = ptr; + str_length_check(service, SNAME_SZ); instance = ptr + strlen(service) + 1; + str_length_check(instance, INST_SZ); rpkt = &rpkt_st; @@ -739,7 +762,9 @@ kerberos_v4(client, pkt) req_life = (u_long) (*ptr++); service = ptr; + str_length_check(service, SNAME_SZ); instance = ptr + strlen(service) + 1; + str_length_check(instance, INST_SZ); klog(L_APPL_REQ, "APPL Request %s.%s@%s on %s for %s.%s", ad->pname, ad->pinst, ad->prealm, -- 2.26.2