svn rev #22180: branches/krb5-1-6/src/lib/krb5/asn.1/
tlyu@MIT.EDU
tlyu at MIT.EDU
Tue Apr 7 21:22:58 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22180
Commit By: tlyu
Log Message:
ticket: 6447
subject: CVE-2009-0847 (1.6.x) asn1buf_imbed incorrect length validatin
tags: pullup
target_version: 1.6.4
version_fixed: 1.6.4
pull up rxxxx from trunk
asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer. This can
lead to malloc() failure or crash.
In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound. In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.
Changed Files:
U branches/krb5-1-6/src/lib/krb5/asn.1/asn1buf.c
Modified: branches/krb5-1-6/src/lib/krb5/asn.1/asn1buf.c
===================================================================
--- branches/krb5-1-6/src/lib/krb5/asn.1/asn1buf.c 2009-04-08 01:22:51 UTC (rev 22179)
+++ branches/krb5-1-6/src/lib/krb5/asn.1/asn1buf.c 2009-04-08 01:22:57 UTC (rev 22180)
@@ -78,11 +78,11 @@
asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
{
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
subbuf->base = subbuf->next = buf->next;
if (!indef) {
+ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
subbuf->bound = subbuf->base + length - 1;
- if (subbuf->bound > buf->bound)
- return ASN1_OVERRUN;
} else /* constructed indefinite */
subbuf->bound = buf->bound;
return 0;
@@ -200,6 +200,7 @@
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
@@ -218,6 +219,7 @@
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
More information about the cvs-krb5
mailing list