fix MITKRB5-SA-2007-004 [CVE-2007-2442/VU#356961, CVE-2007-2443/VU#365313]

CVE-2007-2442/VU#356961: The RPC library can free an uninitialized
pointer.  This may lead to execution of arbitrary code.

CVE-2007-2443/VU#365313: The RPC library can write past the end of a
stack buffer.  This may (but is unlikely to) lead to execution of
arbitrary code.

ticket: new
target_version: 1.6.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19636 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index 9659127e294e54375c23a39b67a1bea9a154ba46..a18ab6815f3db51f7c76cdcde89878f5d2646722 100644 (file)
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -149,6 +149,8 @@ enum auth_stat gssrpc__svcauth_gssapi(
      rqst->rq_xprt->xp_auth = &svc_auth_none;
      
      memset((char *) &call_res, 0, sizeof(call_res));
+     creds.client_handle.length = 0;
+     creds.client_handle.value = NULL;
      
      cred = &msg->rm_call.cb_cred;
      verf = &msg->rm_call.cb_verf;

diff --git a/src/lib/rpc/svc_auth_unix.c b/src/lib/rpc/svc_auth_unix.c
index 480ee7a9ec344cb2b946203fdf4445edd3a96560..016644b403bba4a09a642928a31eca4430a5c061 100644 (file)
--- a/src/lib/rpc/svc_auth_unix.c
+++ b/src/lib/rpc/svc_auth_unix.c
@@ -64,8 +64,7 @@ gssrpc__svcauth_unix(
                char area_machname[MAX_MACHINE_NAME+1];
                int area_gids[NGRPS];
        } *area;
-       u_int auth_len;
-       int str_len, gid_len;
+       u_int auth_len, str_len, gid_len;
        register int i;
 
        rqst->rq_xprt->xp_auth = &svc_auth_none;
@@ -74,7 +73,9 @@ gssrpc__svcauth_unix(
        aup = &area->area_aup;
        aup->aup_machname = area->area_machname;
        aup->aup_gids = area->area_gids;
-       auth_len = (u_int)msg->rm_call.cb_cred.oa_length;
+       auth_len = msg->rm_call.cb_cred.oa_length;
+       if (auth_len > INT_MAX)
+               return AUTH_BADCRED;
        xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
        buf = XDR_INLINE(&xdrs, (int)auth_len);
        if (buf != NULL) {
@@ -84,7 +85,7 @@ gssrpc__svcauth_unix(
                        stat = AUTH_BADCRED;
                        goto done;
                }
-               memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len);
+               memmove(aup->aup_machname, buf, str_len);
                aup->aup_machname[str_len] = 0;
                str_len = RNDUP(str_len);
                buf += str_len / BYTES_PER_XDR_UNIT;
@@ -104,7 +105,7 @@ gssrpc__svcauth_unix(
                 * timestamp, hostname len (0), uid, gid, and gids len (0).
                 */
                if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
-                       (void) printf("bad auth_len gid %d str %d auth %d\n",
+                       (void) printf("bad auth_len gid %u str %u auth %u\n",
                            gid_len, str_len, auth_len);
                        stat = AUTH_BADCRED;
                        goto done;