diff options
author | Cy Schubert <cy@FreeBSD.org> | 2022-11-21 15:33:08 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2022-11-24 17:21:13 +0000 |
commit | d7e8666ffb9967a92709a2d2ded4d31568ab1473 (patch) | |
tree | 329ce0eb03cb6e892bd04ad960a3c9c3e0bfe85b /crypto | |
parent | 06703946d0be0baaf0f2a88f85e2dd5354e861da (diff) | |
download | src-d7e8666ffb9967a92709a2d2ded4d31568ab1473.tar.gz src-d7e8666ffb9967a92709a2d2ded4d31568ab1473.zip |
heimdal: The version string must always contain a terminating NUL
Should the sender send a string without a terminating NUL, ensure that
the NUL terminates the string regardless.
And while at it only process the version string when bytes are returned.
PR: 267884
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D37471
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/heimdal/lib/krb5/recvauth.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/crypto/heimdal/lib/krb5/recvauth.c b/crypto/heimdal/lib/krb5/recvauth.c index 78e98a10fc1b..b63b28628395 100644 --- a/crypto/heimdal/lib/krb5/recvauth.c +++ b/crypto/heimdal/lib/krb5/recvauth.c @@ -75,7 +75,7 @@ krb5_recvauth_match_version(krb5_context context, const char *version = KRB5_SENDAUTH_VERSION; char her_version[sizeof(KRB5_SENDAUTH_VERSION)]; char *her_appl_version; - uint32_t len; + uint32_t len, bytes; u_char repl; krb5_data data; krb5_flags ap_options; @@ -139,15 +139,21 @@ krb5_recvauth_match_version(krb5_context context, N_("malloc: out of memory", "")); return ENOMEM; } - if (krb5_net_read (context, p_fd, her_appl_version, len) != len - || !(*match_appl_version)(match_data, her_appl_version)) { - repl = 2; - krb5_net_write (context, p_fd, &repl, 1); - krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS, - N_("wrong sendauth version (%s)", ""), - her_appl_version); - free (her_appl_version); - return KRB5_SENDAUTH_BADAPPLVERS; + if ((bytes = krb5_net_read (context, p_fd, her_appl_version, len))) { + /* PR/267884: String read must always conatain a terminating NUL */ + if (strnlen(her_appl_version, len) == len) + her_appl_version[len-1] = '\0'; + + if (bytes != len || + !(*match_appl_version)(match_data, her_appl_version)) { + repl = 2; + krb5_net_write (context, p_fd, &repl, 1); + krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS, + N_("wrong sendauth version (%s)", ""), + her_appl_version); + free (her_appl_version); + return KRB5_SENDAUTH_BADAPPLVERS; + } } free (her_appl_version); |