From e900740e5a92b06d75d8af45d6904e905365cd57 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 5 Sep 2007 19:53:33 +0000 Subject: [PATCH] Revise patch to avoid 32-byte overflow which remained after the initial patch. Memory written to by the IXDR macro calls had not been accounted for. Thanks to Kevin Coffman, Will Fiveash, and Nico Williams for discovering this bug and assisting with patch development. ticket: 5706 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19923 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/rpc/svc_auth_gss.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c index bac560dc0..1b2fa1e14 100644 --- a/src/lib/rpc/svc_auth_gss.c +++ b/src/lib/rpc/svc_auth_gss.c @@ -329,6 +329,15 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r memset(rpchdr, 0, sizeof(rpchdr)); /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */ + oa = &msg->rm_call.cb_cred; + if (oa->oa_length > MAX_AUTH_BYTES) + return (FALSE); + + /* 8 XDR units from the IXDR macro calls. */ + if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + + RNDUP(oa->oa_length))) + return (FALSE); + buf = (int32_t *)(void *)rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); IXDR_PUT_ENUM(buf, msg->rm_direction); @@ -336,10 +345,9 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); - if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) { + if (oa->oa_length) { memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); buf += RNDUP(oa->oa_length) / sizeof(int32_t); } -- 2.26.2