diff options
| author | Tom Yu <tlyu@mit.edu> | 2007-06-26 18:08:20 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2007-06-26 18:08:20 +0000 |
| commit | 581bc90958d2fbda2bb3547e9b854f5c004a430a (patch) | |
| tree | 86c185270b4e5898a99d1f55119cc1e7759244ce /src/lib/rpc | |
| parent | 4264dd0b101f15826f987c65a87ee5aebfdbc3de (diff) | |
| download | krb5-581bc90958d2fbda2bb3547e9b854f5c004a430a.zip krb5-581bc90958d2fbda2bb3547e9b854f5c004a430a.tar.gz krb5-581bc90958d2fbda2bb3547e9b854f5c004a430a.tar.bz2 | |
fix MITKRB5-SA-2007-004 [CVE-2007-2442/VU#356961, CVE-2007-2443/VU#365313]
CVE-2007-2442/VU#356961: The RPC library can free an uninitialized
pointer. This may lead to execution of arbitrary code.
CVE-2007-2443/VU#365313: The RPC library can write past the end of a
stack buffer. This may (but is unlikely to) lead to execution of
arbitrary code.
ticket: new
target_version: 1.6.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19636 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/rpc')
| -rw-r--r-- | src/lib/rpc/svc_auth_gssapi.c | 2 | ||||
| -rw-r--r-- | src/lib/rpc/svc_auth_unix.c | 11 |
2 files changed, 8 insertions, 5 deletions
diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c index 9659127..a18ab68 100644 --- a/src/lib/rpc/svc_auth_gssapi.c +++ b/src/lib/rpc/svc_auth_gssapi.c @@ -149,6 +149,8 @@ enum auth_stat gssrpc__svcauth_gssapi( rqst->rq_xprt->xp_auth = &svc_auth_none; memset((char *) &call_res, 0, sizeof(call_res)); + creds.client_handle.length = 0; + creds.client_handle.value = NULL; cred = &msg->rm_call.cb_cred; verf = &msg->rm_call.cb_verf; diff --git a/src/lib/rpc/svc_auth_unix.c b/src/lib/rpc/svc_auth_unix.c index 480ee7a..016644b 100644 --- a/src/lib/rpc/svc_auth_unix.c +++ b/src/lib/rpc/svc_auth_unix.c @@ -64,8 +64,7 @@ gssrpc__svcauth_unix( char area_machname[MAX_MACHINE_NAME+1]; int area_gids[NGRPS]; } *area; - u_int auth_len; - int str_len, gid_len; + u_int auth_len, str_len, gid_len; register int i; rqst->rq_xprt->xp_auth = &svc_auth_none; @@ -74,7 +73,9 @@ gssrpc__svcauth_unix( aup = &area->area_aup; aup->aup_machname = area->area_machname; aup->aup_gids = area->area_gids; - auth_len = (u_int)msg->rm_call.cb_cred.oa_length; + auth_len = msg->rm_call.cb_cred.oa_length; + if (auth_len > INT_MAX) + return AUTH_BADCRED; xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); buf = XDR_INLINE(&xdrs, (int)auth_len); if (buf != NULL) { @@ -84,7 +85,7 @@ gssrpc__svcauth_unix( stat = AUTH_BADCRED; goto done; } - memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len); + memmove(aup->aup_machname, buf, str_len); aup->aup_machname[str_len] = 0; str_len = RNDUP(str_len); buf += str_len / BYTES_PER_XDR_UNIT; @@ -104,7 +105,7 @@ gssrpc__svcauth_unix( * timestamp, hostname len (0), uid, gid, and gids len (0). */ if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { - (void) printf("bad auth_len gid %d str %d auth %d\n", + (void) printf("bad auth_len gid %u str %u auth %u\n", gid_len, str_len, auth_len); stat = AUTH_BADCRED; goto done; |