fix CVE-2007-3999 svc_auth_gss.c buffer overflow

Make sure svcauth_gss_validate adequately checks oa->oa_length prior
to copying into rpcbuf.

ticket: new
target_version: 1.6.3
tags: pullup
component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19913 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
index e2c0777b6c6c307059eb9b75599011c1a2fed107..bac560dc034abaf92b44d316158738f35216d86f 100644 (file)
--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
@@ -339,7 +339,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
        oa = &msg->rm_call.cb_cred;
        IXDR_PUT_ENUM(buf, oa->oa_flavor);
        IXDR_PUT_LONG(buf, oa->oa_length);
-       if (oa->oa_length) {
+       if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) {
                memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
                buf += RNDUP(oa->oa_length) / sizeof(int32_t);
        }