1 files changed, 39 insertions, 6 deletions

diff --git a/src/lib/krb4/g_ad_tkt.c b/src/lib/krb4/g_ad_tkt.c
index b3abb2d..afcd0c6 100644
--- a/src/lib/krb4/g_ad_tkt.c
+++ b/src/lib/krb4/g_ad_tkt.c
@@ -19,6 +19,19 @@
 extern int krb_debug;
 extern int swap_bytes;
 
+/* Return the length of the string if a NUL is found within the first
+ * max_len bytes, otherwise, -1. */
+static int krb_strnlen(const char *str, int max_len)
+{
+    int i;
+    for(i = 0; i < max_len; i++) {
+        if(str[i] == '\0') {
+            return i;
+        }
+    }
+    return -1;
+}
+
 /*
  * get_ad_tkt obtains a new service ticket from Kerberos, using
  * the ticket-granting ticket which must be in the ticket file.
@@ -136,11 +149,22 @@ get_ad_tkt(service,sinstance,realm,lifetime)
 	return(AD_NOTGT);
 
     /* timestamp */   /* FIXME -- always 0 now, should we fill it in??? */
+    if(pkt->length + 4 > sizeof(pkt->dat))
+        return(INTK_ERR);
     memcpy((char *) (pkt->dat+pkt->length), (char *) &time_ws, 4);
     pkt->length += 4;
+
+    if(pkt->length + 1 > sizeof(pkt->dat))
+        return(INTK_ERR);
     *(pkt->dat+(pkt->length)++) = (char) lifetime;
+
+    if(pkt->length + 1 + strlen(service) > sizeof(pkt->dat))
+        return(INTK_ERR);
     (void) strcpy((char *) (pkt->dat+pkt->length),service);
     pkt->length += 1 + strlen(service);
+
+    if(pkt->length + 1 + strlen(sinstance) > sizeof(pkt->dat))
+        return(INTK_ERR);
     (void) strcpy((char *)(pkt->dat+pkt->length),sinstance);
     pkt->length += 1 + strlen(sinstance);
 
@@ -199,18 +223,27 @@ get_ad_tkt(service,sinstance,realm,lifetime)
     memcpy((char *)ses, ptr, 8);
     ptr += 8;
 
-    (void) strcpy(s_name,ptr);
+    if(krb_strnlen(ptr, sizeof(s_name)) < 0)
+        return RD_AP_MODIFIED;
+    (void) strncpy(s_name,ptr,sizeof(s_name) - 1);
+    s_name[sizeof(s_name) - 1] = '\0';
     ptr += strlen(s_name) + 1;
 
-    (void) strcpy(s_instance,ptr);
+    if(krb_strnlen(ptr, sizeof(s_instance)) < 0)
+        return RD_AP_MODIFIED;
+    (void) strncpy(s_instance,ptr,sizeof(s_instance)-1);
+    s_instance[sizeof(s_instance)-1] = '\0';
     ptr += strlen(s_instance) + 1;
 
-    (void) strcpy(rlm,ptr);
+    if(krb_strnlen(ptr, sizeof(rlm)) < 0)
+        return RD_AP_MODIFIED;
+    (void) strncpy(rlm,ptr,sizeof(rlm) - 1);
+    rlm[sizeof(rlm)-1];
     ptr += strlen(rlm) + 1;
 
-    lifetime = (unsigned long) ptr[0];
-    kvno = (unsigned long) ptr[1];
-    tkt->length = (int) ptr[2];
+    lifetime = (unsigned char) ptr[0];
+    kvno = (unsigned char) ptr[1];
+    tkt->length = (unsigned char) ptr[2];
     ptr += 3;
     memcpy((char *)(tkt->dat), ptr, tkt->length);
     ptr += tkt->length;