From: Harald Barth <haba@pdc.kth.se>
Date: Mon, 26 Mar 2001 17:18:42 +0000 (+0000)
Subject: null-terminate-cell-when-copying-from-lrealm-20010326
X-Git-Tag: BP-openafs-devel-autoconf~24
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=9feea404fd44455bc1645aac87e7a4bb8306cca3;p=packages%2Fo%2Fopenafs.git

null-terminate-cell-when-copying-from-lrealm-20010326

Avoid condition where we could read past the end of lrealm (unlikely
to occur in practice and not remotely exploitable; cell and lrealm are
both MAXKTCREALMLEN and lrealm is configured locally and not read from the
network)
---

diff --git a/src/kauth/krb_udp.c b/src/kauth/krb_udp.c
index d8f8db245..65b144f98 100644
--- a/src/kauth/krb_udp.c
+++ b/src/kauth/krb_udp.c
@@ -446,7 +446,10 @@ afs_int32 UDP_GetTicket (ksoc, pkt, kvno, authDomain, ticket, ticketLen, auth, a
       code = KERB_ERR_PKT_VER;	/* was KABADTICKET */
       goto abort;
     }
-    if (celllen == 0) strcpy (cell, lrealm);
+    if (celllen == 0) {
+	strncpy (cell, lrealm, MAXKTCREALMLEN-1);
+	cell[MAXKTCREALMLEN-1] = 0;
+    };
 
     if (krb_udp_debug) {
 	printf ("UGetTicket: got ticket from '%s'.'%s'@'%s'\n",