When string is not terminated, queries with corrupted base may be sent to LDAP:
... cn=ipa1.example.com<garbage>,cn=masters... https://fedorahosted.org/freeipa/ticket/4214 -- Martin Kosek <mko...@redhat.com> Supervisor, Software Engineering - Identity Management Team Red Hat Inc.
From 74bb082c7c286e9911f1a376ed9ce25845857672 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Fri, 7 Mar 2014 10:06:52 +0100 Subject: [PATCH] Avoid passing non-terminated string to is_master_host When string is not terminated, queries with corrupted base may be sent to LDAP: ... cn=ipa1.example.com<garbage>,cn=masters... https://fedorahosted.org/freeipa/ticket/4214 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 9137cd5ad1e6166fd5d6e765fab2c8178ca0587c..c1b018cc80402c2c3488487aee1d9709b902c5b4 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -488,13 +488,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, } data = krb5_princ_component(ipactx->context, princ, 1); - strres = malloc(data->length); + strres = malloc(data->length+1); if (strres == NULL) { krb5_free_principal(ipactx->kcontext, princ); return ENOENT; } memcpy(strres, data->data, data->length); + strres[data->length] = '\0'; krb5_free_principal(ipactx->kcontext, princ); /* Only add PAC to TGT to services on IPA masters to allow querying -- 1.8.5.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
