From 1433162454b5dc9a5aaccc53a582df1233354d44 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 5 Sep 2007 21:26:49 +0000 Subject: [PATCH] pull up r19923 from trunk r19923@cathode-dark-space: tlyu | 2007-09-05 15:53:33 -0400 ticket: 5706 Revise patch to avoid 32-byte overflow which remained after the initial patch. Memory written to by the IXDR macro calls had not been accounted for. Thanks to Kevin Coffman, Will Fiveash, and Nico Williams for discovering this bug and assisting with patch development. ticket: 5706 version_fixed: 1.6.3 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19925 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/rpc/svc_auth_gss.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c index d1cfb1c91..83ab9754a 100644 --- a/src/lib/rpc/svc_auth_gss.c +++ b/src/lib/rpc/svc_auth_gss.c @@ -355,6 +355,15 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r memset(rpchdr, 0, sizeof(rpchdr)); /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */ + oa = &msg->rm_call.cb_cred; + if (oa->oa_length > MAX_AUTH_BYTES) + return (FALSE); + + /* 8 XDR units from the IXDR macro calls. */ + if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + + RNDUP(oa->oa_length))) + return (FALSE); + buf = (int32_t *)(void *)rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); IXDR_PUT_ENUM(buf, msg->rm_direction); @@ -362,10 +371,9 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); - if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) { + if (oa->oa_length) { memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); buf += RNDUP(oa->oa_length) / sizeof(int32_t); } -- 2.26.2