From 8b9902db3c3dd546c6bba323221962011ecadcde Mon Sep 17 00:00:00 2001
From: Ezra Peisach <epeisach@mit.edu>
Date: Fri, 26 Oct 2001 22:14:31 +0000
Subject: [PATCH]         * k5seal.c (make_seal_token_v1): Correct errors in
 code           pertaining to case when signing message only. Fixes buffer    
       overflows as found by gssapi dejagnu testsuite.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13868 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/gssapi/krb5/ChangeLog |  6 ++++++
 src/lib/gssapi/krb5/k5seal.c  | 14 +++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index d5aa402f7..2bc1ca9a6 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,9 @@
+2001-10-26  Ezra Peisach  <epeisach@mit.edu>
+
+	* k5seal.c (make_seal_token_v1): Correct errors in code pertaining
+	to case when signing message only. Fixes buffer overflows as found
+	by gssapi dejagnu testsuite.
+
 2001-10-25  Sam Hartman  <hartmans@mit.edu>
 
 	* k5unseal.c (kg_unseal_v1): same here.
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
index a8b10f6a5..7ba53db27 100644
--- a/src/lib/gssapi/krb5/k5seal.c
+++ b/src/lib/gssapi/krb5/k5seal.c
@@ -91,6 +91,7 @@ make_seal_token_v1 (krb5_context context,
     if (encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG)))
       conflen = kg_confounder_size(context, enc);
     else conflen = 0;
+
     if (toktype == KG_TOK_SEAL_MSG) {
       switch (sealalg) {
       case SEAL_ALG_MICROSOFT_RC4:
@@ -177,23 +178,26 @@ make_seal_token_v1 (krb5_context context,
     }
 
     memcpy(plain+conflen, text->value, text->length);
-    memset(plain+conflen+text->length, pad, pad);
+    if (pad) memset(plain+conflen+text->length, pad, pad);
 
-	/* compute the checksum */
+    /* compute the checksum */
 
     /* 8 = head of token body as specified by mech spec */
     if (! (data_ptr =
-	   (char *) xmalloc(8 + (bigend ? text->length : tmsglen)))) {
+	   (char *) xmalloc(8 + 
+			    ((bigend || (toktype != KG_TOK_SEAL_MSG))
+			     ? text->length : tmsglen)))) {
       xfree(plain);
       xfree(t);
       return(ENOMEM);
     }
     (void) memcpy(data_ptr, ptr-2, 8);
-    if (bigend)
+    if (bigend || (toktype != KG_TOK_SEAL_MSG))
       (void) memcpy(data_ptr+8, text->value, text->length);
     else
       (void) memcpy(data_ptr+8, plain, msglen);
-    plaind.length = 8 + (bigend ? text->length : msglen);
+    plaind.length = 8 + 
+	((bigend || (toktype != KG_TOK_SEAL_MSG))? text->length : msglen);
     plaind.data = data_ptr;
     code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq,
 				sign_usage, &plaind, &md5cksum);
-- 
2.26.2