pull up r20181 from trunk
authorTom Yu <tlyu@mit.edu>
Sat, 15 Dec 2007 01:22:44 +0000 (01:22 +0000)
committerTom Yu <tlyu@mit.edu>
Sat, 15 Dec 2007 01:22:44 +0000 (01:22 +0000)
 r20181@cathode-dark-space:  tlyu | 2007-12-14 00:01:23 -0500
 ticket: 5855
 target_version: 1.6.4
 tags: pullup

 fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal()

ticket: 5855
version_fixed: 1.6.4

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20185 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/rpc/svc_auth_gss.c

index 83ab9754ac804970d327bc97b90782b6651ecffc..7d10fe75190434fd926855b776bf18147b3d9224 100644 (file)
@@ -671,7 +671,7 @@ svcauth_gss_get_principal(SVCAUTH *auth)
 
        gd = SVCAUTH_PRIVATE(auth);
 
-       if (gd->cname.length == 0)
+       if (gd->cname.length == 0 || gd->cname.length >= SIZE_MAX)
                return (NULL);
 
        if ((pname = malloc(gd->cname.length + 1)) == NULL)