From a5c70489f99c8259d4770aeb96524a91395b8ab9 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Apr 2022 10:46:51 -0700
Subject: Fix off-by-one in quote-stripping routines

Reported by Oracle Parfait:

Error: Buffer overrun
   Buffer overflow [buffer-overflow] (CWE 120):
      In pointer dereference of key[(len - 1)] with index (len - 1)
      Array size >= 1 bytes, index >= 1
        at line 1647 of process.c in function 'do_add'.

Error: Buffer overrun
   Buffer overflow [buffer-overflow] (CWE 120):
      In pointer dereference of authdata[(authdatalen - 1)] with index (authdatalen - 1)
      Array size is ??? bytes, index is ???
        at line 1965 of process.c in function 'do_generate'.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 process.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'process.c')

diff --git a/process.c b/process.c
index eb89751..08ec121 100644
--- a/process.c
+++ b/process.c
@@ -1644,7 +1644,7 @@ do_add(const char *inputfilename, int lineno, int argc, const char **argv)
 	    return 1;
 	}
 	strncpy(key, hexkey+1, len-2);
-	key[len-1] = '\0';
+	key[len-2] = '\0';
 	len -= 2;
     } else if (!strcmp(protoname, SECURERPC) ||
 	       !strcmp(protoname, K5AUTH)) {
@@ -1962,7 +1962,7 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv)
 		    goto exit_generate;
 		}
 		strncpy(authdata, hexdata+1, authdatalen-2);
-		authdata[authdatalen-1] = '\0';
+		authdata[authdatalen-2] = '\0';
 		authdatalen -= 2;
 	    } else {
 		authdatalen = cvthexkey (hexdata, &authdata);
-- 
cgit v1.2.1