This patch fixes buffer overflows in the Kerberos 4 code. Index: crypto/dist/krb4/lib/krb/extra.c =================================================================== RCS file: /cvsroot/basesrc/crypto/dist/krb4/lib/krb/extra.c,v retrieving revision 1.1.1.1 retrieving revision 1.1.1.1.2.1 diff -u -r1.1.1.1 -r1.1.1.1.2.1 --- crypto/dist/krb4/lib/krb/extra.c 2000/06/16 18:45:52 1.1.1.1 +++ crypto/dist/krb4/lib/krb/extra.c 2000/12/12 21:57:00 1.1.1.1.2.1 @@ -33,7 +33,7 @@ #include "krb_locl.h" -RCSID("$Id: extra.c,v 1.1.1.1 2000/06/16 18:45:52 thorpej Exp $"); +RCSID("$Id: extra.c,v 1.1.1.1.2.1 2000/12/12 21:57:00 tv Exp $"); struct value { char *variable; @@ -70,30 +70,6 @@ #ifndef WIN32 -struct obsolete { - const char *from; - const char *to; -} obsolete [] = { - { "KDC_TIMESYNC", "kdc_timesync" }, - { "KRB_REVERSE_DIRECTION", "reverse_lsb_test"}, - { "krb4_proxy", "krb4_proxy"}, - { NULL, NULL } -}; - -static void -check_obsolete(void) -{ - struct obsolete *r; - for(r = obsolete; r->from; r++) { - if(getenv(r->from)) { - krb_warning("The environment variable `%s' is obsolete;\n" - "set `%s' in your `krb.extra' file instead\n", - r->from, r->to); - define_variable(r->to, getenv(r->from)); - } - } -} - static int read_extra_file(void) { @@ -103,7 +79,6 @@ if(_krb_extra_read) return 0; _krb_extra_read = 1; - check_obsolete(); while(krb_get_krbextra(i++, file, sizeof(file)) == 0) { FILE *f = fopen(file, "r"); if(f == NULL) Index: crypto/dist/krb4/lib/krb/kdc_reply.c =================================================================== RCS file: /cvsroot/basesrc/crypto/dist/krb4/lib/krb/kdc_reply.c,v retrieving revision 1.1.1.1 retrieving revision 1.1.1.1.2.1 diff -u -r1.1.1.1 -r1.1.1.1.2.1 --- crypto/dist/krb4/lib/krb/kdc_reply.c 2000/06/16 18:45:53 1.1.1.1 +++ crypto/dist/krb4/lib/krb/kdc_reply.c 2000/12/12 21:56:37 1.1.1.1.2.1 @@ -33,7 +33,7 @@ #include "krb_locl.h" -RCSID("$Id: kdc_reply.c,v 1.1.1.1 2000/06/16 18:45:53 thorpej Exp $"); +RCSID("$Id: kdc_reply.c,v 1.1.1.1.2.1 2000/12/12 21:56:37 tv Exp $"); static int little_endian; /* XXX ugly */ @@ -121,6 +121,9 @@ p += krb_get_int(p, &exp_date, 4, little_endian); p++; /* master key version number */ p += krb_get_int(p, &clen, 2, little_endian); + if (reply->length - (p - reply->dat) < clen) + return INTK_PROT; + cip->length = clen; memcpy(cip->dat, p, clen); p += clen; Index: crypto/dist/krb4/lib/krb/tf_util.c =================================================================== RCS file: /cvsroot/basesrc/crypto/dist/krb4/lib/krb/tf_util.c,v retrieving revision 1.1.1.1 retrieving revision 1.1.1.1.2.1 diff -u -r1.1.1.1 -r1.1.1.1.2.1 --- crypto/dist/krb4/lib/krb/tf_util.c 2000/06/16 18:45:56 1.1.1.1 +++ crypto/dist/krb4/lib/krb/tf_util.c 2000/12/12 21:56:15 1.1.1.1.2.1 @@ -21,7 +21,7 @@ #include "krb_locl.h" -RCSID("$Id: tf_util.c,v 1.1.1.1 2000/06/16 18:45:56 thorpej Exp $"); +RCSID("$Id: tf_util.c,v 1.1.1.1.2.1 2000/12/12 21:56:15 tv Exp $"); #define TOO_BIG -1 @@ -249,20 +249,6 @@ int tf_create(char *tf_name) { - struct stat statbuf; - char garbage[BUFSIZ]; - - fd = open(tf_name, O_RDWR | O_BINARY, 0); - if (fd >= 0) { - if (fstat (fd, &statbuf) == 0) { - int i; - - for (i = 0; i < statbuf.st_size; i += sizeof(garbage)) - write (fd, garbage, sizeof(garbage)); - } - close (fd); - } - if (unlink (tf_name) && errno != ENOENT) return TKT_FIL_ACC;