2 files changed, 17 insertions, 5 deletions

diff --git a/src/tests/hammer/ChangeLog b/src/tests/hammer/ChangeLog
index 1504de4..fcdd391 100644
--- a/src/tests/hammer/ChangeLog
+++ b/src/tests/hammer/ChangeLog
@@ -1,3 +1,12 @@
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdc5_hammer.c (main): Make sure buffer 'prefix' is null-terminated.
+
+2000-05-08  Ken Raeburn  <raeburn@mit.edu>
+	    Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdc5_hammer.c (main): Don't overflow buffers "ctmp" or "stmp".
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/tests/hammer/kdc5_hammer.c b/src/tests/hammer/kdc5_hammer.c
index 780f92d..6429a38 100644
--- a/src/tests/hammer/kdc5_hammer.c
+++ b/src/tests/hammer/kdc5_hammer.c
@@ -169,7 +169,8 @@ main(argc, argv)
 	    depth = atoi(optarg);       /* how deep to go */
 	    break;
 	case 'p':                       /* prefix name to check */
-	    strcpy(prefix, optarg);
+	    strncpy(prefix, optarg, sizeof(prefix) - 1);
+	    prefix[sizeof(prefix) - 1] = '\0';
 	    break;
        case 'n':                        /* how many to check */
 	    num_to_check = atoi(optarg);
@@ -240,10 +241,11 @@ main(argc, argv)
 	   again given a prefix and count to test the db lib and kdb */
 	ctmp[0] = '\0';
 	for (i = 1; i <= depth; i++) {
-	  ctmp2[0] = '\0';
 	  (void) sprintf(ctmp2, "%s%s%d-DEPTH-%d", (i != 1) ? "/" : "",
 			 prefix, n, i);
-	  strcat(ctmp, ctmp2);
+	  ctmp2[sizeof(ctmp2) - 1] = '\0';
+	  strncat(ctmp, ctmp2, sizeof(ctmp) - 1 - strlen(ctmp));
+	  ctmp[sizeof(ctmp) - 1] = '\0';
 	  sprintf(client, "%s@%s", ctmp, cur_realm);
 
 	  if (get_tgt (test_context, client, &client_princ, ccache)) {
@@ -255,10 +257,11 @@ main(argc, argv)
 
 	  stmp[0] = '\0';
 	  for (j = 1; j <= depth; j++) {
-	    stmp2[0] = '\0';
 	    (void) sprintf(stmp2, "%s%s%d-DEPTH-%d", (j != 1) ? "/" : "",
 			   prefix, n, j);
-	    strcat(stmp, stmp2);
+	    stmp2[sizeof (stmp2) - 1] = '\0';
+	    strncat(stmp, stmp2, sizeof(stmp) - 1 - strlen(stmp));
+	    stmp[sizeof(stmp) - 1] = '\0';
 	    sprintf(server, "%s@%s", stmp, cur_realm);
 	    if (verify_cs_pair(test_context, client, client_princ, 
 			       stmp, cur_realm, n, i, j, ccache))