Make a NUL-terminated copy of realm name before passing to a plugin

interface that takes a C string rather than krb5_data.

ticket: 5893
tags: pullup
target_version: 1.6.4

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20243 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 16 insertions, 1 deletions

diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index f03568b..7605328 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -622,6 +622,7 @@ module_locate_server (krb5_context ctx, const krb5_data *realm,
     krb5_error_code code;
     struct krb5plugin_service_locate_ftable *vtbl = NULL;
     void **ptrs;
+    char *realmz;		/* NUL-terminated realm */
     int i;
     struct module_callback_data cbdata = { 0, };
 
@@ -643,6 +644,17 @@ module_locate_server (krb5_context ctx, const krb5_data *realm,
 	return KRB5_PLUGIN_NO_HANDLE;
     }
 
+    if (realm->length >= UINT_MAX) {
+	krb5int_free_plugin_dir_data(ptrs);
+	return ENOMEM;
+    }
+    realmz = malloc(realm->length + 1);
+    if (realmz == NULL) {
+	krb5int_free_plugin_dir_data(ptrs);
+	return ENOMEM;
+    }
+    memcpy(realmz, realm->data, realm->length);
+    realmz[realm->length] = '\0';
     for (i = 0; ptrs[i]; i++) {
 	void *blob;
 
@@ -655,7 +667,7 @@ module_locate_server (krb5_context ctx, const krb5_data *realm,
 	if (code)
 	    continue;
 
-	code = vtbl->lookup(blob, svc, realm->data, socktype, family,
+	code = vtbl->lookup(blob, svc, realmz, socktype, family,
 			    module_callback, &cbdata);
 	vtbl->fini(blob);
 	if (code == KRB5_PLUGIN_NO_HANDLE) {
@@ -668,6 +680,7 @@ module_locate_server (krb5_context ctx, const krb5_data *realm,
 	    /* Module encountered an actual error.  */
 	    Tprintf("plugin lookup routine returned error %d: %s\n",
 		    code, error_message(code));
+	    free(realmz);
 	    krb5int_free_plugin_dir_data (ptrs);
 	    return code;
 	}
@@ -675,6 +688,7 @@ module_locate_server (krb5_context ctx, const krb5_data *realm,
     }
     if (ptrs[i] == NULL) {
 	Tprintf("ran off end of plugin list\n");
+	free(realmz);
 	krb5int_free_plugin_dir_data (ptrs);
 	return KRB5_PLUGIN_NO_HANDLE;
     }
@@ -683,6 +697,7 @@ module_locate_server (krb5_context ctx, const krb5_data *realm,
     /* Got something back, yippee.  */
     Tprintf("now have %d addrs in list %p\n", addrlist->naddrs, addrlist);
     print_addrlist(addrlist);
+    free(realmz);
     krb5int_free_plugin_dir_data (ptrs);
     return 0;
 }