From d1aa4403394657f1468f2b16128e7b5b77fa1e6a Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Mon, 14 Jul 2008 22:12:38 +0000 Subject: [PATCH] pull up r20304 from trunk r20304@cathode-dark-space: raeburn | 2008-04-18 15:31:47 -0400 ticket: new subject: fix possible buffer overrun in handling generic-error return target_version: 1.6.5 tags: pullup Jeff Altman reported this, based on a crash seen in KfW in the wild. The krb5_data handle used to describe the message field returned by the KDC is not null-terminated, but we use a "%s" format to incorporate it into an error message string. In the right circumstances, garbage bytes can be pulled into the string, or a memory fault may result. However, as this is in the error-reporting part of the client-side code for fetching new credentials, it's a relatively minor DoS attack only, not a serious security exposure. Should be fixed in the next releases, though. ticket: 5944 version_fixed: 1.6.4 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20521 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/gc_via_tkt.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index 8ee5721a7..aab347fc5 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/gc_via_tgt.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -249,7 +249,8 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, switch (err_reply->error) { case KRB_ERR_GENERIC: krb5_set_error_message(context, retval, - "KDC returned error string: %s", + "KDC returned error string: %.*s", + err_reply->text.length, err_reply->text.data); break; default: -- 2.26.2