From d5c8d03bcbfc730b05b6e3570404a48add5b05fc Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Tue, 17 Mar 1998 00:52:00 +0000
Subject: [PATCH] 	* chk_trans.c (krb5_check_transited_list): Check
 lengths when 	appending to next and prev.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10501 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/krb/ChangeLog   |  5 +++++
 src/lib/krb5/krb/chk_trans.c | 24 ++++++++++++++++++++----
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index cb58a762f..c94d3c393 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,8 @@
+Mon Mar 16 19:50:55 1998  Tom Yu  <tlyu@mit.edu>
+
+	* chk_trans.c (krb5_check_transited_list): Check lengths when
+	appending to next and prev.
+
 Fri Feb 27 18:03:33 1998  Theodore Ts'o  <tytso@rsts-11.mit.edu>
 
 	* Makefile.in: Changed thisconfigdir to point at the lib/krb5
diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c
index 0961d6af7..979eb831a 100644
--- a/src/lib/krb5/krb/chk_trans.c
+++ b/src/lib/krb5/krb/chk_trans.c
@@ -41,8 +41,15 @@ krb5_data      *realm2;
   krb5_principal  *tgs_list;
 
   if (!trans || !trans->data)  return(0);
-  trans_length = trans->data[trans->length-1] ?
-                 trans->length : trans->length - 1;
+  if (trans_length)
+    trans_length = trans->data[trans->length-1] ?
+      trans->length : trans->length - 1;
+
+  for (i = 0; i < trans_length; i++)
+    if (trans->data[i] == '\0') {
+      /* Realms may not contain ASCII NUL character. */
+      return(KRB5KRB_AP_ERR_ILL_CR_TKT);
+    }
 
   if ((retval = krb5_walk_realm_tree(context, realm1, realm2, &tgs_list,
                                     KRB5_REALM_BRANCH_CHAR))) {
@@ -51,19 +58,28 @@ krb5_data      *realm2;
 
   memset(prev, 0, MAX_REALM_LN + 1);
   memset(next, 0, MAX_REALM_LN + 1), nextp = next;
-  for (i = 0; i <= trans_length; i++) {
+  for (i = 0; i < trans_length; i++) {
     if (i < trans_length-1 && trans->data[i] == '\\') {
       i++;
       *nextp++ = trans->data[i];
+      if (nextp - next > MAX_REALM_LN) {
+	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	goto finish;
+      }
       continue;
     }
     if (i < trans_length && trans->data[i] != ',') {
       *nextp++ = trans->data[i];
+      if (nextp - next > MAX_REALM_LN) {
+	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	goto finish;
+      }
       continue;
     }
     if (strlen(next) > 0) {
       if (next[0] != '/') {
-        if (*(nextp-1) == '.')  strcat(next, prev);
+        if (*(nextp-1) == '.' && strlen(next) + strlen(prev) <= MAX_REALM_LN)
+	  strcat(next, prev);
         retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
         for (j = 0; tgs_list[j]; j++) {
           if (strlen(next) == (size_t) krb5_princ_realm(context, tgs_list[j])->length &&
-- 
2.26.2