Fix parsing of GSS exported names
authorGreg Hudson <ghudson@mit.edu>
Fri, 11 Sep 2009 17:30:51 +0000 (17:30 +0000)
committerGreg Hudson <ghudson@mit.edu>
Fri, 11 Sep 2009 17:30:51 +0000 (17:30 +0000)
Cherry-picked from Luke's authdata branch.

ticket: 6559
tags: pullup
target_version: 1.7.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22732 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/gssapi/krb5/import_name.c

index 6879c766faa000e13ea4739eff7ae3531ec014f5..440d36222b184cbb567b2f4ba47172f0467e5def 100644 (file)
@@ -56,7 +56,8 @@ krb5_gss_import_name(minor_status, input_name_buffer,
     krb5_context context;
     krb5_principal princ;
     krb5_error_code code;
-    char *stringrep, *tmp, *tmp2, *cp;
+    unsigned char *cp, *end;
+    char *stringrep, *tmp, *tmp2;
     OM_uint32    length;
 #ifndef NO_PASSWORD
     struct passwd *pw;
@@ -155,7 +156,12 @@ krb5_gss_import_name(minor_status, input_name_buffer,
             goto do_getpwuid;
 #endif
         } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
-            cp = tmp;
+#define BOUNDS_CHECK(cp, end, n) do { if ((end) - (cp) < (n)) \
+                    goto fail_name; } while (0)
+            cp = (unsigned char *)tmp;
+            end = cp + input_name_buffer->length;
+
+            BOUNDS_CHECK(cp, end, 4);
             if (*cp++ != 0x04)
                 goto fail_name;
             if (*cp++ != 0x01)
@@ -163,20 +169,28 @@ krb5_gss_import_name(minor_status, input_name_buffer,
             if (*cp++ != 0x00)
                 goto fail_name;
             length = *cp++;
-            if (length != gss_mech_krb5->length+2)
+            if (length != (ssize_t)gss_mech_krb5->length+2)
                 goto fail_name;
+
+            BOUNDS_CHECK(cp, end, 2);
             if (*cp++ != 0x06)
                 goto fail_name;
             length = *cp++;
             if (length != gss_mech_krb5->length)
                 goto fail_name;
+
+            BOUNDS_CHECK(cp, end, length);
             if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
                 goto fail_name;
             cp += length;
+
+            BOUNDS_CHECK(cp, end, 4);
             length = *cp++;
             length = (length << 8) | *cp++;
             length = (length << 8) | *cp++;
             length = (length << 8) | *cp++;
+
+            BOUNDS_CHECK(cp, end, length);
             tmp2 = malloc(length+1);
             if (tmp2 == NULL) {
                 xfree(tmp);
@@ -184,7 +198,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
                 krb5_free_context(context);
                 return GSS_S_FAILURE;
             }
-            strncpy(tmp2, cp, length);
+            strncpy(tmp2, (char *)cp, length);
             tmp2[length] = 0;
 
             stringrep = tmp2;