From: Tom Yu Date: Fri, 1 Nov 2002 22:13:57 +0000 (+0000) Subject: MITKRB5-SA-2002-002 buffer overflow in kadmind4 X-Git-Tag: krb5-1.3-alpha1~297 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=11816421529fb3a8469f29d57ac8c882c52e295a;p=krb5.git MITKRB5-SA-2002-002 buffer overflow in kadmind4 * kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002 buffer overflow. ticket: new status: open version_reported: 1.2.6 target_version: 1.2.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14959 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kadmin/v4server/ChangeLog b/src/kadmin/v4server/ChangeLog index 1bf63aeb8..256c60f3b 100644 --- a/src/kadmin/v4server/ChangeLog +++ b/src/kadmin/v4server/ChangeLog @@ -1,3 +1,8 @@ +2002-11-01 Tom Yu + + * kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002 + buffer overflow. + 2002-08-29 Ken Raeburn * Makefile.in: Revert $(S)=>/ change, for Windows support. diff --git a/src/kadmin/v4server/kadm_ser_wrap.c b/src/kadmin/v4server/kadm_ser_wrap.c index 41d572b9c..e7914f1d2 100644 --- a/src/kadmin/v4server/kadm_ser_wrap.c +++ b/src/kadmin/v4server/kadm_ser_wrap.c @@ -173,14 +173,21 @@ int *dat_len; u_char *retdat, *tmpdat; int retval, retlen; - if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) { + if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4)) + || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) { errpkt(dat, dat_len, KADM_BAD_VER); return KADM_BAD_VER; } in_len = KADM_VERSIZE; /* get the length */ - if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0) + if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0 + || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4)) + || (*dat_len - r_len - KADM_VERSIZE - + sizeof(krb5_ui_4) > sizeof(authent.dat))) { + errpkt(dat, dat_len, KADM_LENGTH_ERROR); return KADM_LENGTH_ERROR; + } + in_len += retc; authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4); memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);