CVE-2009-0847 (1.6.x) asn1buf_imbed incorrect length validatin
authorTom Yu <tlyu@mit.edu>
Wed, 8 Apr 2009 01:22:57 +0000 (01:22 +0000)
committerTom Yu <tlyu@mit.edu>
Wed, 8 Apr 2009 01:22:57 +0000 (01:22 +0000)
commitd68398e122cfd6c3fc35ab54b3cbeed38ae1e6a9
tree1b5723b52bbf79fca02caa098077f50f6a2e1487
parentbfe7b5f6a92129e238eae0ef5a41ff19b063f0b9
CVE-2009-0847 (1.6.x) asn1buf_imbed incorrect length validatin

pull up rxxxx from trunk

asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer.  This can
lead to malloc() failure or crash.

In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound.  In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.

ticket: 6447
tags: pullup
target_version: 1.6.4
version_fixed: 1.6.4

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22180 dc483132-0cff-0310-8789-dd5450dbe970
src/lib/krb5/asn.1/asn1buf.c