Index: appl/bsd/krshd.c =================================================================== RCS file: /cvs/krbdev/krb5/src/appl/bsd/krshd.c,v retrieving revision 5.66.2.6 diff -c -r5.66.2.6 krshd.c *** krshd.c 1999/03/09 00:27:31 5.66.2.6 - --- krshd.c 2000/04/29 02:58:52 *************** *** 1469,1483 **** strcpy((char *) cmdbuf + offst, kprogdir); cp = copy + 3 + offst; if (auth_sys == KRB5_RECVAUTH_V4) { ! strcat(cmdbuf, "/v4rcp"); } else { ! strcat(cmdbuf, "/rcp"); } if (stat((char *)cmdbuf + offst, &s) >= 0) ! strcat(cmdbuf, cp); else ! strcpy(cmdbuf, copy); free(copy); } #endif - --- 1469,1484 ---- strcpy((char *) cmdbuf + offst, kprogdir); cp = copy + 3 + offst; + cmdbuf[sizeof(cmdbuf) - 1] = '\0'; if (auth_sys == KRB5_RECVAUTH_V4) { ! strncat(cmdbuf, "/v4rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf)); } else { ! strncat(cmdbuf, "/rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf)); } if (stat((char *)cmdbuf + offst, &s) >= 0) ! strncat(cmdbuf, cp, sizeof(cmdbuf) - 1 - strlen(cmdbuf)); else ! strncpy(cmdbuf, copy, sizeof(cmdbuf) - 1 - strlen(cmdbuf)); free(copy); } #endif Index: lib/krb4/kuserok.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb4/kuserok.c,v retrieving revision 1.3 diff -c -r1.3 kuserok.c *** kuserok.c 1996/01/27 06:06:22 1.3 - --- kuserok.c 2000/04/29 02:59:02 *************** *** 115,122 **** if ((pwd = getpwnam(luser)) == NULL) { return(NOTOK); } ! (void) strcpy(pbuf, pwd->pw_dir); ! (void) strcat(pbuf, "/.klogin"); if (access(pbuf, F_OK)) { /* not accessible */ /* - --- 115,125 ---- if ((pwd = getpwnam(luser)) == NULL) { return(NOTOK); } ! if (strlen (pwd->pw_dir) + sizeof ("/.klogin") >= sizeof (pbuf)) ! return NOTOK; ! (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); ! pbuf[sizeof(pbuf) - 1] = '\0'; ! (void) strncat(pbuf, "/.klogin", sizeof(pbuf) - 1 - strlen(pbuf)); if (access(pbuf, F_OK)) { /* not accessible */ /* Index: lib/krb4/rd_req.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb4/rd_req.c,v retrieving revision 1.4 diff -c -r1.4 rd_req.c *** rd_req.c 1996/02/24 14:29:26 1.4 - --- rd_req.c 2000/04/29 02:59:02 *************** *** 155,160 **** - --- 155,162 ---- Kerberos used to encrypt ticket */ int status; + tkt->mbz = req_id->mbz = 0; + if (authent->length <= 0) return(RD_AP_MODIFIED); *************** *** 190,197 **** mutual = 0; #endif /* lint */ s_kvno = *ptr++; /* get server key version */ ! (void) strcpy(realm,ptr); /* And the realm of the issuing KDC */ ! ptr += strlen(ptr) + 1; /* skip the realm "hint" */ /* * If "fn" is NULL, key info should already be set; don't - --- 192,200 ---- mutual = 0; #endif /* lint */ s_kvno = *ptr++; /* get server key version */ ! (void) strncpy(realm,ptr,REALM_SZ); /* And the realm of the issuing KDC */ ! realm[REALM_SZ-1] = '\0'; ! ptr += strlen(realm) + 1; /* skip the realm "hint" */ /* * If "fn" is NULL, key info should already be set; don't *************** *** 277,289 **** #define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED); ptr = (char *) req_id->dat; ! (void) strcpy(r_aname,ptr); /* Authentication name */ ptr += strlen(r_aname)+1; check_ptr(); ! (void) strcpy(r_inst,ptr); /* Authentication instance */ ptr += strlen(r_inst)+1; check_ptr(); ! (void) strcpy(r_realm,ptr); /* Authentication name */ ptr += strlen(r_realm)+1; check_ptr(); memcpy((char *)&ad->checksum, ptr, 4); /* Checksum */ - --- 280,295 ---- #define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED); ptr = (char *) req_id->dat; ! (void) strncpy(r_aname,ptr,ANAME_SZ); /* Authentication name */ ! r_aname[ANAME_SZ-1] = '\0'; ptr += strlen(r_aname)+1; check_ptr(); ! (void) strncpy(r_inst,ptr,INST_SZ); /* Authentication instance */ ! r_inst[INST_SZ-1] = '\0'; ptr += strlen(r_inst)+1; check_ptr(); ! (void) strncpy(r_realm,ptr,REALM_SZ); /* Authentication name */ ! r_realm[REALM_SZ-1] = '\0'; ptr += strlen(r_realm)+1; check_ptr(); memcpy((char *)&ad->checksum, ptr, 4); /* Checksum */ Index: lib/krb5/krb/conv_princ.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/conv_princ.c,v retrieving revision 1.19.8.1 diff -c -r1.19.8.1 conv_princ.c *** conv_princ.c 1999/02/07 00:52:01 1.19.8.1 - --- conv_princ.c 2000/04/29 02:59:04 *************** *** 243,249 **** if (retval == 0 && full_name && full_name[0]) { instance = full_name[0]; } else { ! strcpy(buf, instance); retval = krb5_get_realm_domain(context, realm, &domain); if (retval) return retval; - --- 243,250 ---- if (retval == 0 && full_name && full_name[0]) { instance = full_name[0]; } else { ! strncpy(buf, instance, sizeof(buf)); ! buf[sizeof(buf) - 1] = '\0'; retval = krb5_get_realm_domain(context, realm, &domain); if (retval) return retval; *************** *** 251,258 **** for (cp = domain; *cp; cp++) if (isupper(*cp)) *cp = tolower(*cp); ! strcat(buf, "."); ! strcat(buf, domain); krb5_xfree(domain); } instance = buf; - --- 252,259 ---- for (cp = domain; *cp; cp++) if (isupper(*cp)) *cp = tolower(*cp); ! strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); ! strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); krb5_xfree(domain); } instance = buf; Index: lib/krb5/os/kuserok.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/os/kuserok.c,v retrieving revision 5.19 diff -c -r5.19 kuserok.c *** kuserok.c 1996/06/12 05:15:02 5.19 - --- kuserok.c 2000/04/29 02:59:04 *************** *** 77,84 **** if ((pwd = getpwnam(luser)) == NULL) { return(FALSE); } ! (void) strcpy(pbuf, pwd->pw_dir); ! (void) strcat(pbuf, "/.k5login"); if (access(pbuf, F_OK)) { /* not accessible */ /* - --- 77,85 ---- if ((pwd = getpwnam(luser)) == NULL) { return(FALSE); } ! (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); ! pbuf[sizeof(pbuf) - 1] = '\0'; ! (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf)); if (access(pbuf, F_OK)) { /* not accessible */ /* Index: lib/krb5/posix/syslog.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/posix/syslog.c,v retrieving revision 5.7 diff -c -r5.7 syslog.c *** syslog.c 1996/06/12 05:16:04 5.7 - --- syslog.c 2000/04/29 02:59:04 *************** *** 115,121 **** (void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4); for (p = tbuf; *p; ++p); if (LogTag) { ! (void)strcpy(p, LogTag); for (; *p; ++p); } if (LogStat & LOG_PID) { - --- 115,121 ---- (void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4); for (p = tbuf; *p; ++p); if (LogTag) { ! (void)strncpy(p, LogTag, sizeof(tbuf) - 1 - (p - tbuf)); for (; *p; ++p); } if (LogStat & LOG_PID) { *************** *** 146,151 **** - --- 146,156 ---- } (void)vsprintf(p, fmt_cpy, ap); + /* Bounds checking?? If a system doesn't have syslog, we + probably can't rely on it having vsnprintf either. Try not + to let a buffer overrun be exploited. */ + if (strlen (tbuf) >= sizeof (tbuf)) + abort (); /* output the message to the local logger */ if (send(LogFile, tbuf, cnt = strlen(tbuf), 0) >= 0 || *************** *** 169,175 **** if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0) return; (void)alarm((u_int)0); ! (void)strcat(tbuf, "\r"); p = strchr(tbuf, '>') + 1; (void)write(fd, p, cnt + 1 - (p - tbuf)); (void)close(fd); - --- 174,181 ---- if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0) return; (void)alarm((u_int)0); ! tbuf[sizeof(tbuf) - 1] = '\0'; ! (void)strncat(tbuf, "\r", sizeof(tbuf) - 1 - strlen(tbuf)); p = strchr(tbuf, '>') + 1; (void)write(fd, p, cnt + 1 - (p - tbuf)); (void)close(fd);