KDC TGS-REQ null deref [CVE-2013-1416]

author Tom Yu <tlyu@mit.edu>

Fri, 29 Mar 2013 23:27:33 +0000 (19:27 -0400)

committer Tom Yu <tlyu@mit.edu>

Tue, 2 Apr 2013 18:44:29 +0000 (14:44 -0400)
author Tom Yu <tlyu@mit.edu>
Fri, 29 Mar 2013 23:27:33 +0000 (19:27 -0400)
committer Tom Yu <tlyu@mit.edu>
Tue, 2 Apr 2013 18:44:29 +0000 (14:44 -0400)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c

index 9ff80cfd0eca1de4af8b31614e688215b6bf35ce..86496e94911f45c6802a8cae71affd0b0d001dab 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1141,7 +1141,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
              retval = ENOMEM;
              goto cleanup;
          }
-        strlcpy(comp1_str,comp1->data,comp1->length+1);
+        if (comp1->data != NULL)
+            memcpy(comp1_str, comp1->data, comp1->length);
  
          if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
               krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
@@ -1164,7 +1165,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
                  retval = ENOMEM;
                  goto cleanup;
              }
-            strlcpy(temp_buf, comp2->data,comp2->length+1);
+            if (comp2->data != NULL)
+                memcpy(temp_buf, comp2->data, comp2->length);
              retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
              free(temp_buf);
              if (retval) {
author	Tom Yu <tlyu@mit.edu>
	Fri, 29 Mar 2013 23:27:33 +0000 (19:27 -0400)
committer	Tom Yu <tlyu@mit.edu>
	Tue, 2 Apr 2013 18:44:29 +0000 (14:44 -0400)