diff options
author | Tom Yu <tlyu@mit.edu> | 2007-09-05 19:53:33 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2007-09-05 19:53:33 +0000 |
commit | e900740e5a92b06d75d8af45d6904e905365cd57 (patch) | |
tree | 1e568576adca8db7f2bb5998f999a46811d14efa /src/lib | |
parent | 1e23b1998c87ff0d2c3ea27a2e112532a13d2b6c (diff) | |
download | krb5-e900740e5a92b06d75d8af45d6904e905365cd57.zip krb5-e900740e5a92b06d75d8af45d6904e905365cd57.tar.gz krb5-e900740e5a92b06d75d8af45d6904e905365cd57.tar.bz2 |
Revise patch to avoid 32-byte overflow which remained after the
initial patch. Memory written to by the IXDR macro calls had not been
accounted for. Thanks to Kevin Coffman, Will Fiveash, and Nico
Williams for discovering this bug and assisting with patch
development.
ticket: 5706
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19923 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/rpc/svc_auth_gss.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c index bac560d..1b2fa1e 100644 --- a/src/lib/rpc/svc_auth_gss.c +++ b/src/lib/rpc/svc_auth_gss.c @@ -329,6 +329,15 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r memset(rpchdr, 0, sizeof(rpchdr)); /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */ + oa = &msg->rm_call.cb_cred; + if (oa->oa_length > MAX_AUTH_BYTES) + return (FALSE); + + /* 8 XDR units from the IXDR macro calls. */ + if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + + RNDUP(oa->oa_length))) + return (FALSE); + buf = (int32_t *)(void *)rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); IXDR_PUT_ENUM(buf, msg->rm_direction); @@ -336,10 +345,9 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); - if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) { + if (oa->oa_length) { memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); buf += RNDUP(oa->oa_length) / sizeof(int32_t); } |