Revise patch to avoid 32-byte overflow which remained after the

initial patch.  Memory written to by the IXDR macro calls had not been
accounted for.  Thanks to Kevin Coffman, Will Fiveash, and Nico
Williams for discovering this bug and assisting with patch
development.

ticket: 5706

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19923 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
index bac560dc034abaf92b44d316158738f35216d86f..1b2fa1e1497e38cdcf425c186bf836d48a2524d0 100644 (file)
--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
@@ -329,6 +329,15 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
        memset(rpchdr, 0, sizeof(rpchdr));
 
        /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+       oa = &msg->rm_call.cb_cred;
+       if (oa->oa_length > MAX_AUTH_BYTES)
+               return (FALSE);
+
+       /* 8 XDR units from the IXDR macro calls. */
+       if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+                             RNDUP(oa->oa_length)))
+               return (FALSE);
+
        buf = (int32_t *)(void *)rpchdr;
        IXDR_PUT_LONG(buf, msg->rm_xid);
        IXDR_PUT_ENUM(buf, msg->rm_direction);
@@ -336,10 +345,9 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
        IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
        IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
        IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
-       oa = &msg->rm_call.cb_cred;
        IXDR_PUT_ENUM(buf, oa->oa_flavor);
        IXDR_PUT_LONG(buf, oa->oa_length);
-       if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) {
+       if (oa->oa_length) {
                memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
                buf += RNDUP(oa->oa_length) / sizeof(int32_t);
        }