MITKRB5-SA-2002-002 buffer overflow in kadmind4
authorTom Yu <tlyu@mit.edu>
Fri, 1 Nov 2002 22:13:57 +0000 (22:13 +0000)
committerTom Yu <tlyu@mit.edu>
Fri, 1 Nov 2002 22:13:57 +0000 (22:13 +0000)
* kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002
buffer overflow.

ticket: new
status: open
version_reported: 1.2.6
target_version: 1.2.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14959 dc483132-0cff-0310-8789-dd5450dbe970

src/kadmin/v4server/ChangeLog
src/kadmin/v4server/kadm_ser_wrap.c

index 1bf63aeb8bfea4f19ad0ceba5c2f472f5c668da8..256c60f3b2152300079e8a775511d6fc3a21487a 100644 (file)
@@ -1,3 +1,8 @@
+2002-11-01  Tom Yu  <tlyu@mit.edu>
+
+       * kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002
+       buffer overflow.
+
 2002-08-29  Ken Raeburn  <raeburn@mit.edu>
 
        * Makefile.in: Revert $(S)=>/ change, for Windows support.
index 41d572b9c430cf208a0212c67ff181a71f5fca82..e7914f1d2cecf50a17f91a6373523327a0cfde88 100644 (file)
@@ -173,14 +173,21 @@ int *dat_len;
     u_char *retdat, *tmpdat;
     int retval, retlen;
 
-    if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+    if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
+       || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
        errpkt(dat, dat_len, KADM_BAD_VER);
        return KADM_BAD_VER;
     }
     in_len = KADM_VERSIZE;
     /* get the length */
-    if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+    if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
+       || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
+       || (*dat_len - r_len - KADM_VERSIZE -
+           sizeof(krb5_ui_4) > sizeof(authent.dat))) {
+       errpkt(dat, dat_len, KADM_LENGTH_ERROR);
        return KADM_LENGTH_ERROR;
+    }
+
     in_len += retc;
     authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
     memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);