From e41db37b10eb9b0f41876e7287477a17e86d1250 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 12 Jul 2009 14:46:59 +1200
Subject: [PATCH] Author: Markus Moeller <huaraz@moeller.plus.com> Bug 2710:
 squid_kerb_auth non-terminated string

---
 .../squid_kerb_auth/squid_kerb_auth.c         | 38 ++++++++++++++++---
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c b/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c
index 17f509d1b8..368f01bf88 100644
--- a/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c
+++ b/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c
@@ -208,6 +208,7 @@ int main(int argc, char * const argv[])
 {
     char buf[MAX_AUTHTOKEN_LEN];
     char *c;
+    char *user=NULL;
     int length=0;
     static int err=0;
     int opt, debug=0, log=0;
@@ -508,11 +509,20 @@ int main(int argc, char * const argv[])
 
             if (check_gss_err(major_status,minor_status,"gss_display_name()",debug,log) )
                 goto cleanup;
-            fprintf(stdout, "AF %s %s\n",token,(char *)output_token.value);
+            user=xmalloc(output_token.length+1);
+            if (user == NULL) {
+               if (debug)
+                  fprintf(stderr, "%s| %s: Not enough memory\n", LogTime(), PROGRAM);
+               fprintf(stdout, "BH Not enough memory\n");
+               goto cleanup;
+            }
+            memcpy(user,output_token.value,output_token.length);
+            user[output_token.length]='\0';
+            fprintf(stdout, "AF %s %s\n",token,user);
             if (debug)
-                fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, token,(char *)output_token.value);
+                fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, token,user);
             if (log)
-                fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value);
+                fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, user);
             goto cleanup;
         } else {
             if (check_gss_err(major_status,minor_status,"gss_accept_sec_context()",debug,log) )
@@ -532,11 +542,23 @@ int main(int argc, char * const argv[])
             /*
              *  Return dummy token AA. May need an extra return tag then AF
              */
-            fprintf(stdout, "AF %s %s\n","AA==",(char *)output_token.value);
+            user=xmalloc(output_token.length+1);
+            if (user == NULL) {
+               if (debug)
+                  fprintf(stderr, "%s| %s: Not enough memory\n", LogTime(), PROGRAM);
+               fprintf(stdout, "BH Not enough memory\n");
+               goto cleanup;
+            }
+            memcpy(user,output_token.value,output_token.length);
+            user[output_token.length]='\0';
+            if (norealm && (p=strchr(user,'@')) != NULL) {
+                *p='\0';
+            }
+            fprintf(stdout, "AF %s %s\n","AA==",user);
             if (debug)
-                fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, "AA==", (char *)output_token.value);
+                fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, "AA==", user);
             if (log)
-                fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value);
+                fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, user);
 
 cleanup:
             gss_release_buffer(&minor_status, &input_token);
@@ -562,6 +584,10 @@ cleanup:
                 xfree(token);
                 token=NULL;
             }
+            if (user) {
+                xfree(user);
+                user=NULL;
+            }
             continue;
         }
     }
-- 
2.47.2