null-terminate-cell-when-copying-from-lrealm-20010326

Avoid condition where we could read past the end of lrealm (unlikely
to occur in practice and not remotely exploitable; cell and lrealm are
both MAXKTCREALMLEN and lrealm is configured locally and not read from the
network)

diff --git a/src/kauth/krb_udp.c b/src/kauth/krb_udp.c
index d8f8db245f4c6bd5ff1ad358b23ee4933fc74fdb..65b144f9881d815c7e574772507263b1a84b4253 100644 (file)
--- a/src/kauth/krb_udp.c
+++ b/src/kauth/krb_udp.c
@@ -446,7 +446,10 @@ afs_int32 UDP_GetTicket (ksoc, pkt, kvno, authDomain, ticket, ticketLen, auth, a
       code = KERB_ERR_PKT_VER; /* was KABADTICKET */
       goto abort;
     }
-    if (celllen == 0) strcpy (cell, lrealm);
+    if (celllen == 0) {
+       strncpy (cell, lrealm, MAXKTCREALMLEN-1);
+       cell[MAXKTCREALMLEN-1] = 0;
+    };
 
     if (krb_udp_debug) {
        printf ("UGetTicket: got ticket from '%s'.'%s'@'%s'\n",