diff options
| author | Tom Yu <tlyu@mit.edu> | 2000-05-22 23:01:48 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2000-05-22 23:01:48 +0000 |
| commit | f94954de4ea87e617d013ee756f33b77774edfa3 (patch) | |
| tree | edfc9d52ef9a93c723794599a89167d341f98c46 | |
| parent | 3fa16ed878b69ae63ec06153bdf14a7966e6ec16 (diff) | |
| download | krb5-1.0.tar.gz | |
pullups from 1.2krb5-1.0
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/V1_0_BRANCH@12304 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/appl/bsd/ChangeLog | 4 | ||||
| -rw-r--r-- | src/appl/bsd/krshd.c | 9 | ||||
| -rw-r--r-- | src/lib/krb4/ChangeLog | 9 | ||||
| -rw-r--r-- | src/lib/krb4/kuserok.c | 7 | ||||
| -rw-r--r-- | src/lib/krb4/rd_req.c | 16 | ||||
| -rw-r--r-- | src/lib/krb5/krb/ChangeLog | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/conv_princ.c | 7 | ||||
| -rw-r--r-- | src/lib/krb5/os/ChangeLog | 4 | ||||
| -rw-r--r-- | src/lib/krb5/os/kuserok.c | 5 | ||||
| -rw-r--r-- | src/lib/krb5/posix/ChangeLog | 7 | ||||
| -rw-r--r-- | src/lib/krb5/posix/syslog.c | 10 |
11 files changed, 65 insertions, 18 deletions
diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index 5fb74c869..a439598ac 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,7 @@ +2000-04-27 Nalin Dahyabhai <nalin@redhat.com> + + * krshd.c (doit): Don't overflow buffer "cmdbuf". + Fri Mar 12 19:01:35 1999 Tom Yu <tlyu@mit.edu> * Makefile.in (kshd): Add $(LOGINLIBS). diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 8de25de39..7c80fe53c 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -1469,15 +1469,16 @@ if(port) strcpy((char *) cmdbuf + offst, kprogdir); cp = copy + 3 + offst; + cmdbuf[sizeof(cmdbuf) - 1] = '\0'; if (auth_sys == KRB5_RECVAUTH_V4) { - strcat(cmdbuf, "/v4rcp"); + strncat(cmdbuf, "/v4rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf)); } else { - strcat(cmdbuf, "/rcp"); + strncat(cmdbuf, "/rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf)); } if (stat((char *)cmdbuf + offst, &s) >= 0) - strcat(cmdbuf, cp); + strncat(cmdbuf, cp, sizeof(cmdbuf) - 1 - strlen(cmdbuf)); else - strcpy(cmdbuf, copy); + strncpy(cmdbuf, copy, sizeof(cmdbuf) - 1 - strlen(cmdbuf)); free(copy); } #endif diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog index 183237a4a..64a0d41a0 100644 --- a/src/lib/krb4/ChangeLog +++ b/src/lib/krb4/ChangeLog @@ -1,3 +1,12 @@ +2000-04-28 Ken Raeburn <raeburn@mit.edu> + Nalin Dahyabhai <nalin@redhat.com> + + * kuserok.c (kuserok): Don't overflow buffer "pbuf". + +2000-04-28 Tom Yu <tlyu@mit.edu> + + * rd_req.c (krb_rd_req): Fix some uses of strcpy(). + Thu Apr 15 20:18:38 1999 Tom Yu <tlyu@mit.edu> * g_cnffile.c (krb__get_srvtabname): Fix to actually extract diff --git a/src/lib/krb4/kuserok.c b/src/lib/krb4/kuserok.c index 6f45afeb3..154e38c3a 100644 --- a/src/lib/krb4/kuserok.c +++ b/src/lib/krb4/kuserok.c @@ -115,8 +115,11 @@ kuserok(kdata, luser) if ((pwd = getpwnam(luser)) == NULL) { return(NOTOK); } - (void) strcpy(pbuf, pwd->pw_dir); - (void) strcat(pbuf, "/.klogin"); + if (strlen (pwd->pw_dir) + sizeof ("/.klogin") >= sizeof (pbuf)) + return NOTOK; + (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); + pbuf[sizeof(pbuf) - 1] = '\0'; + (void) strncat(pbuf, "/.klogin", sizeof(pbuf) - 1 - strlen(pbuf)); if (access(pbuf, F_OK)) { /* not accessible */ /* diff --git a/src/lib/krb4/rd_req.c b/src/lib/krb4/rd_req.c index fc9580ce6..396481593 100644 --- a/src/lib/krb4/rd_req.c +++ b/src/lib/krb4/rd_req.c @@ -155,6 +155,8 @@ krb_rd_req(authent,service,instance,from_addr,ad,fn) Kerberos used to encrypt ticket */ int status; + tkt->mbz = req_id->mbz = 0; + if (authent->length <= 0) return(RD_AP_MODIFIED); @@ -190,8 +192,9 @@ krb_rd_req(authent,service,instance,from_addr,ad,fn) mutual = 0; #endif /* lint */ s_kvno = *ptr++; /* get server key version */ - (void) strcpy(realm,ptr); /* And the realm of the issuing KDC */ - ptr += strlen(ptr) + 1; /* skip the realm "hint" */ + (void) strncpy(realm,ptr,REALM_SZ); /* And the realm of the issuing KDC */ + realm[REALM_SZ-1] = '\0'; + ptr += strlen(realm) + 1; /* skip the realm "hint" */ /* * If "fn" is NULL, key info should already be set; don't @@ -277,13 +280,16 @@ krb_rd_req(authent,service,instance,from_addr,ad,fn) #define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED); ptr = (char *) req_id->dat; - (void) strcpy(r_aname,ptr); /* Authentication name */ + (void) strncpy(r_aname,ptr,ANAME_SZ); /* Authentication name */ + r_aname[ANAME_SZ-1] = '\0'; ptr += strlen(r_aname)+1; check_ptr(); - (void) strcpy(r_inst,ptr); /* Authentication instance */ + (void) strncpy(r_inst,ptr,INST_SZ); /* Authentication instance */ + r_inst[INST_SZ-1] = '\0'; ptr += strlen(r_inst)+1; check_ptr(); - (void) strcpy(r_realm,ptr); /* Authentication name */ + (void) strncpy(r_realm,ptr,REALM_SZ); /* Authentication name */ + r_realm[REALM_SZ-1] = '\0'; ptr += strlen(r_realm)+1; check_ptr(); memcpy((char *)&ad->checksum, ptr, 4); /* Checksum */ diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index a1a5bacc4..5fb640f46 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,8 @@ +2000-04-28 Nalin Dahyabhai <nalin@redhat.com> + + * conv_princ.c (krb5_425_conv_principal): Don't overflow buffer + "buf". + 2000-02-01 Ken Raeburn <raeburn@mit.edu> * init_ctx.c (init_common): Renamed from krb5_init_context, now diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c index e1833b3f5..df1949856 100644 --- a/src/lib/krb5/krb/conv_princ.c +++ b/src/lib/krb5/krb/conv_princ.c @@ -243,7 +243,8 @@ krb5_425_conv_principal(context, name, instance, realm, princ) if (retval == 0 && full_name && full_name[0]) { instance = full_name[0]; } else { - strcpy(buf, instance); + strncpy(buf, instance, sizeof(buf)); + buf[sizeof(buf) - 1] = '\0'; retval = krb5_get_realm_domain(context, realm, &domain); if (retval) return retval; @@ -251,8 +252,8 @@ krb5_425_conv_principal(context, name, instance, realm, princ) for (cp = domain; *cp; cp++) if (isupper(*cp)) *cp = tolower(*cp); - strcat(buf, "."); - strcat(buf, domain); + strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); + strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); krb5_xfree(domain); } instance = buf; diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog index 2c1842f30..4d6914b47 100644 --- a/src/lib/krb5/os/ChangeLog +++ b/src/lib/krb5/os/ChangeLog @@ -1,3 +1,7 @@ +2000-04-28 Nalin Dahyabhai <nalin@redhat.com> + + * kuserok.c (krb5_kuserok): Don't overflow buffer "pbuf". + Thu Mar 25 18:45:48 1999 Tom Yu <tlyu@mit.edu> * promptusr.c (krb5_os_get_tty_uio): getchar() returns int, not diff --git a/src/lib/krb5/os/kuserok.c b/src/lib/krb5/os/kuserok.c index 3e54fa0c1..f81715112 100644 --- a/src/lib/krb5/os/kuserok.c +++ b/src/lib/krb5/os/kuserok.c @@ -77,8 +77,9 @@ krb5_kuserok(context, principal, luser) if ((pwd = getpwnam(luser)) == NULL) { return(FALSE); } - (void) strcpy(pbuf, pwd->pw_dir); - (void) strcat(pbuf, "/.k5login"); + (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); + pbuf[sizeof(pbuf) - 1] = '\0'; + (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf)); if (access(pbuf, F_OK)) { /* not accessible */ /* diff --git a/src/lib/krb5/posix/ChangeLog b/src/lib/krb5/posix/ChangeLog index e94ad00dc..8f0c2fb62 100644 --- a/src/lib/krb5/posix/ChangeLog +++ b/src/lib/krb5/posix/ChangeLog @@ -1,3 +1,10 @@ +2000-04-28 Ken Raeburn <raeburn@mit.edu> + Nalin Dahyabhai <nalin@redhat.com> + + * syslog.c (vsyslog): Use strncpy and strncat instead of strcpy + and strcat when adding to buffer "tbuf". If calling vsprintf, + abort if it appears to have overrun the buffer. + Mon Jun 10 21:51:35 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * syslog.c: Change _WINDOWS to _MSDOS, and add check for _WIN32. diff --git a/src/lib/krb5/posix/syslog.c b/src/lib/krb5/posix/syslog.c index b853f046d..e581b3c40 100644 --- a/src/lib/krb5/posix/syslog.c +++ b/src/lib/krb5/posix/syslog.c @@ -115,7 +115,7 @@ vsyslog(pri, fmt, ap) (void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4); for (p = tbuf; *p; ++p); if (LogTag) { - (void)strcpy(p, LogTag); + (void)strncpy(p, LogTag, sizeof(tbuf) - 1 - (p - tbuf)); for (; *p; ++p); } if (LogStat & LOG_PID) { @@ -146,6 +146,11 @@ vsyslog(pri, fmt, ap) } (void)vsprintf(p, fmt_cpy, ap); + /* Bounds checking?? If a system doesn't have syslog, we + probably can't rely on it having vsnprintf either. Try not + to let a buffer overrun be exploited. */ + if (strlen (tbuf) >= sizeof (tbuf)) + abort (); /* output the message to the local logger */ if (send(LogFile, tbuf, cnt = strlen(tbuf), 0) >= 0 || @@ -169,7 +174,8 @@ vsyslog(pri, fmt, ap) if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0) return; (void)alarm((u_int)0); - (void)strcat(tbuf, "\r"); + tbuf[sizeof(tbuf) - 1] = '\0'; + (void)strncat(tbuf, "\r", sizeof(tbuf) - 1 - strlen(tbuf)); p = strchr(tbuf, '>') + 1; (void)write(fd, p, cnt + 1 - (p - tbuf)); (void)close(fd); |