From: Tom Yu <tlyu@mit.edu>
Date: Wed, 5 Sep 2007 21:26:16 +0000 (+0000)
Subject: pull up r19913 from trunk
X-Git-Tag: krb5-1.6.3-beta1~22
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9d90c70837d744d44f495a339d77acd01339e9a3;p=krb5.git

pull up r19913 from trunk

 r19913@cathode-dark-space:  tlyu | 2007-09-04 14:52:56 -0400
 ticket: new
 subject: fix CVE-2007-3999 svc_auth_gss.c buffer overflow
 target_version: 1.6.3
 tags: pullup
 component: krb5-libs

 Make sure svcauth_gss_validate adequately checks oa->oa_length prior
 to copying into rpcbuf.


ticket: 5706

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19924 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
index 78da340cb..d1cfb1c91 100644
--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
@@ -365,7 +365,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
 	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
-	if (oa->oa_length) {
+	if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) {
 		memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
 		buf += RNDUP(oa->oa_length) / sizeof(int32_t);
 	}