projects / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0b0f822) | patch
pull up r22175 from trunk
authorTom Yu <tlyu@mit.edu>
Wed, 15 Apr 2009 20:07:32 +0000 (20:07 +0000)
committerTom Yu <tlyu@mit.edu>
Wed, 15 Apr 2009 20:07:32 +0000 (20:07 +0000)
commit20e2c2c5443fcb7ad2711e71ed10af9bb9840fbe
treee17f767e7c5dd80b6205111ccd3a66bf3c0999f7tree | snapshot
parent0b0f822ef42ad721e720a2c3e4f3dfa7bf5f5f1ccommit | diff
pull up r22175 from trunk

 ------------------------------------------------------------------------
 r22175 | tlyu | 2009-04-07 17:22:20 -0400 (Tue, 07 Apr 2009) | 14 lines
 Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1buf.c

 ticket: 6444
 subject: CVE-2009-0847 asn1buf_imbed incorrect length validation
 tags: pullup
 target_version: 1.7

 asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
 pointer of the subbuffer to be less than the "next" pointer.  This can
 lead to malloc() failure or crash.

 In asn1buf_imbed(), check the length before doing arithmetic to set
 subbuf->bound.  In asn1buf_remove_octetstring() and
 asn1buf_remove_charstring(), check for invalid buffer pointers before
 executing an unsigned length check against a (casted to size_t)
 negative number.

ticket: 6444
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22249 dc483132-0cff-0310-8789-dd5450dbe970
src/lib/krb5/asn.1/asn1buf.c diff | blob | history
MIT implementation of the Kerberos network authentication protocol. This repo may be rebased, so don't base your work on it. Use git://github.com/krb5/krb5 instead.