diff options
author | Tom Yu <tlyu@mit.edu> | 2008-03-25 03:16:31 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2008-03-25 03:16:31 +0000 |
commit | 5c9652458a6671fa42d34aae1783a84cf62f5c49 (patch) | |
tree | 9ecd54ba38e687352d855b07dcdca033293cd62d | |
parent | 9ea16f8d1f9390c867569d51a833e331e31fb2f2 (diff) | |
download | krb5-5c9652458a6671fa42d34aae1783a84cf62f5c49.zip krb5-5c9652458a6671fa42d34aae1783a84cf62f5c49.tar.gz krb5-5c9652458a6671fa42d34aae1783a84cf62f5c49.tar.bz2 |
(1.5.x) fix MITKRB5-SA-2007-006 svc_auth_gss.c buffer overflow [CVE-2007-3999, CVE-2007-4743]
r19913@cathode-dark-space: tlyu | 2007-09-04 14:52:56 -0400
ticket: new
subject: fix CVE-2007-3999 svc_auth_gss.c buffer overflow
target_version: 1.6.3
tags: pullup
component: krb5-libs
Make sure svcauth_gss_validate adequately checks oa->oa_length prior
to copying into rpcbuf.
ticket: new
target_version: 1.5.4
tags: pullup
component: krb5-libs
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-5@20289 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/rpc/svc_auth_gss.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c index 78da340..d1cfb1c 100644 --- a/src/lib/rpc/svc_auth_gss.c +++ b/src/lib/rpc/svc_auth_gss.c @@ -365,7 +365,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); - if (oa->oa_length) { + if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) { memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); buf += RNDUP(oa->oa_length) / sizeof(int32_t); } |