Fix crash on empty TXT records

In k5_try_realm_txt_rr(), error out if the first text string in a TXT
record is empty or if its length exceeds the record length.

This function is only used when dns_lookup_realm is set to true in
krb5.conf.  An alternative implementation is used on Windows.

[ghudson@mit.edu: moved zero-length check and added upper bound check;
rewrote commit message]

ticket: 9174 (new)

diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c
index 5da550c1e86c3b5f2434d12192159476bc6a4b03..fd403aa752e91638d91bd8ff60dbb6bde1882795 100644 (file)
--- a/src/lib/krb5/os/dnsglue.c
+++ b/src/lib/krb5/os/dnsglue.c
@@ -470,12 +470,10 @@ k5_try_realm_txt_rr(krb5_context context, const char *prefix, const char *name,
     }
 
     ret = krb5int_dns_nextans(ds, &base, &rdlen);
-    if (ret < 0 || base == NULL)
+    if (ret < 0 || rdlen < 2 || *base == 0 || *base > rdlen - 1)
         goto errout;
 
     p = base;
-    if (!INCR_OK(base, rdlen, p, 1))
-        goto errout;
     len = *p++;
     *realm = malloc((size_t)len + 1);
     if (*realm == NULL) {