diff options
author | Tom Yu <tlyu@mit.edu> | 2002-11-01 22:13:57 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2002-11-01 22:13:57 +0000 |
commit | 11816421529fb3a8469f29d57ac8c882c52e295a (patch) | |
tree | 2df5eae838ca89be8f659cf12d7aa0bfd4db1516 /src/kadmin | |
parent | 7355534e4e1c8e976a95be02e80927f4f2437ecd (diff) | |
download | krb5-11816421529fb3a8469f29d57ac8c882c52e295a.zip krb5-11816421529fb3a8469f29d57ac8c882c52e295a.tar.gz krb5-11816421529fb3a8469f29d57ac8c882c52e295a.tar.bz2 |
MITKRB5-SA-2002-002 buffer overflow in kadmind4
* kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002
buffer overflow.
ticket: new
status: open
version_reported: 1.2.6
target_version: 1.2.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14959 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin')
-rw-r--r-- | src/kadmin/v4server/ChangeLog | 5 | ||||
-rw-r--r-- | src/kadmin/v4server/kadm_ser_wrap.c | 11 |
2 files changed, 14 insertions, 2 deletions
diff --git a/src/kadmin/v4server/ChangeLog b/src/kadmin/v4server/ChangeLog index 1bf63ae..256c60f 100644 --- a/src/kadmin/v4server/ChangeLog +++ b/src/kadmin/v4server/ChangeLog @@ -1,3 +1,8 @@ +2002-11-01 Tom Yu <tlyu@mit.edu> + + * kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002 + buffer overflow. + 2002-08-29 Ken Raeburn <raeburn@mit.edu> * Makefile.in: Revert $(S)=>/ change, for Windows support. diff --git a/src/kadmin/v4server/kadm_ser_wrap.c b/src/kadmin/v4server/kadm_ser_wrap.c index 41d572b..e7914f1 100644 --- a/src/kadmin/v4server/kadm_ser_wrap.c +++ b/src/kadmin/v4server/kadm_ser_wrap.c @@ -173,14 +173,21 @@ int *dat_len; u_char *retdat, *tmpdat; int retval, retlen; - if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) { + if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4)) + || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) { errpkt(dat, dat_len, KADM_BAD_VER); return KADM_BAD_VER; } in_len = KADM_VERSIZE; /* get the length */ - if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0) + if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0 + || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4)) + || (*dat_len - r_len - KADM_VERSIZE - + sizeof(krb5_ui_4) > sizeof(authent.dat))) { + errpkt(dat, dat_len, KADM_LENGTH_ERROR); return KADM_LENGTH_ERROR; + } + in_len += retc; authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4); memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length); |