diff options
author | Ken Raeburn <raeburn@mit.edu> | 2004-02-09 22:10:40 +0000 |
---|---|---|
committer | Ken Raeburn <raeburn@mit.edu> | 2004-02-09 22:10:40 +0000 |
commit | e4c192c4d6f5e8c4b7a6bb5cf974944310fc0c82 (patch) | |
tree | 758139575458d41114c45efa85f1b8b14b85c174 /src/lib/gssapi/generic | |
parent | f7f601d95224e4cbcec5215610e61088718f10fa (diff) | |
download | krb5-e4c192c4d6f5e8c4b7a6bb5cf974944310fc0c82.zip krb5-e4c192c4d6f5e8c4b7a6bb5cf974944310fc0c82.tar.gz krb5-e4c192c4d6f5e8c4b7a6bb5cf974944310fc0c82.tar.bz2 |
* util_ordering.c (g_queue_externalize, g_queue_internalize): Check for
sufficient buffer space.
ticket: 2166
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16040 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi/generic')
-rw-r--r-- | src/lib/gssapi/generic/ChangeLog | 5 | ||||
-rw-r--r-- | src/lib/gssapi/generic/util_ordering.c | 4 |
2 files changed, 9 insertions, 0 deletions
diff --git a/src/lib/gssapi/generic/ChangeLog b/src/lib/gssapi/generic/ChangeLog index 50f08ca..fd5eb97 100644 --- a/src/lib/gssapi/generic/ChangeLog +++ b/src/lib/gssapi/generic/ChangeLog @@ -1,3 +1,8 @@ +2004-02-08 Ken Raeburn <raeburn@mit.edu> + + * util_ordering.c (g_queue_externalize, g_queue_internalize): + Check for sufficient buffer space. + 2003-12-19 Ken Raeburn <raeburn@mit.edu> * gssapi_generic.c (const_oids): Renamed from oids, and now const. diff --git a/src/lib/gssapi/generic/util_ordering.c b/src/lib/gssapi/generic/util_ordering.c index fe2eaaf..f7cf666 100644 --- a/src/lib/gssapi/generic/util_ordering.c +++ b/src/lib/gssapi/generic/util_ordering.c @@ -219,6 +219,8 @@ g_queue_size(void *vqueue, size_t *sizep) gss_uint32 g_queue_externalize(void *vqueue, unsigned char **buf, size_t *lenremain) { + if (*lenremain < sizeof(queue)) + return ENOMEM; memcpy(*buf, vqueue, sizeof(queue)); *buf += sizeof(queue); *lenremain -= sizeof(queue); @@ -231,6 +233,8 @@ g_queue_internalize(void **vqueue, unsigned char **buf, size_t *lenremain) { void *q; + if (*lenremain < sizeof(queue)) + return EINVAL; if ((q = malloc(sizeof(queue))) == 0) return ENOMEM; memcpy(q, *buf, sizeof(queue)); |