From db63f78232526dda43abf22defd8daac46f66037 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Fri, 6 Jul 2007 19:29:03 +0000
Subject: [PATCH] (krb5-1.5.x) fix MITKRB5-SA-2007-004
 [CVE-2007-2442/VU#356961, CVE-2007-2443/VU#365313]

pull up r19636 for 1.5-branch

 r19636@cathode-dark-space:  tlyu | 2007-06-26 14:08:20 -0400
 ticket: new
 target_version: 1.6.2
 tags: pullup
 subject: fix MITKRB5-SA-2007-004 [CVE-2007-2442/VU#356961, CVE-2007-2443/VU#365313]

 CVE-2007-2442/VU#356961: The RPC library can free an uninitialized
 pointer.  This may lead to execution of arbitrary code.

 CVE-2007-2443/VU#365313: The RPC library can write past the end of a
 stack buffer.  This may (but is unlikely to) lead to execution of
 arbitrary code.



ticket: new
version_fixed: 1.5.4

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-5@19682 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/rpc/svc_auth_gssapi.c |  2 ++
 src/lib/rpc/svc_auth_unix.c   | 11 ++++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index ec2410331..8e09be8c2 100644
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -148,6 +148,8 @@ enum auth_stat gssrpc__svcauth_gssapi(
      rqst->rq_xprt->xp_auth = &svc_auth_none;
      
      memset((char *) &call_res, 0, sizeof(call_res));
+     creds.client_handle.length = 0;
+     creds.client_handle.value = NULL;
      
      cred = &msg->rm_call.cb_cred;
      verf = &msg->rm_call.cb_verf;
diff --git a/src/lib/rpc/svc_auth_unix.c b/src/lib/rpc/svc_auth_unix.c
index 480ee7a9e..016644b40 100644
--- a/src/lib/rpc/svc_auth_unix.c
+++ b/src/lib/rpc/svc_auth_unix.c
@@ -64,8 +64,7 @@ gssrpc__svcauth_unix(
 		char area_machname[MAX_MACHINE_NAME+1];
 		int area_gids[NGRPS];
 	} *area;
-	u_int auth_len;
-	int str_len, gid_len;
+	u_int auth_len, str_len, gid_len;
 	register int i;
 
 	rqst->rq_xprt->xp_auth = &svc_auth_none;
@@ -74,7 +73,9 @@ gssrpc__svcauth_unix(
 	aup = &area->area_aup;
 	aup->aup_machname = area->area_machname;
 	aup->aup_gids = area->area_gids;
-	auth_len = (u_int)msg->rm_call.cb_cred.oa_length;
+	auth_len = msg->rm_call.cb_cred.oa_length;
+	if (auth_len > INT_MAX)
+		return AUTH_BADCRED;
 	xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
 	buf = XDR_INLINE(&xdrs, (int)auth_len);
 	if (buf != NULL) {
@@ -84,7 +85,7 @@ gssrpc__svcauth_unix(
 			stat = AUTH_BADCRED;
 			goto done;
 		}
-		memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len);
+		memmove(aup->aup_machname, buf, str_len);
 		aup->aup_machname[str_len] = 0;
 		str_len = RNDUP(str_len);
 		buf += str_len / BYTES_PER_XDR_UNIT;
@@ -104,7 +105,7 @@ gssrpc__svcauth_unix(
 		 * timestamp, hostname len (0), uid, gid, and gids len (0).
 		 */
 		if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
-			(void) printf("bad auth_len gid %d str %d auth %d\n",
+			(void) printf("bad auth_len gid %u str %u auth %u\n",
 			    gid_len, str_len, auth_len);
 			stat = AUTH_BADCRED;
 			goto done;
-- 
2.26.2