svn rev #22249: branches/krb5-1-7/src/lib/krb5/asn.1/

tlyu@MIT.EDU tlyu at MIT.EDU
Wed Apr 15 16:07:32 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22249
Commit By: tlyu
Log Message:
ticket: 6444
version_fixed: 1.7

pull up r22175 from trunk

 ------------------------------------------------------------------------
 r22175 | tlyu | 2009-04-07 17:22:20 -0400 (Tue, 07 Apr 2009) | 14 lines
 Changed paths:
    M /trunk/src/lib/krb5/asn.1/asn1buf.c

 ticket: 6444
 subject: CVE-2009-0847 asn1buf_imbed incorrect length validation
 tags: pullup
 target_version: 1.7

 asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
 pointer of the subbuffer to be less than the "next" pointer.  This can
 lead to malloc() failure or crash.

 In asn1buf_imbed(), check the length before doing arithmetic to set
 subbuf->bound.  In asn1buf_remove_octetstring() and
 asn1buf_remove_charstring(), check for invalid buffer pointers before
 executing an unsigned length check against a (casted to size_t)
 negative number.


Changed Files:
U   branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c
Modified: branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c
===================================================================
--- branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c	2009-04-15 20:07:30 UTC (rev 22248)
+++ branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c	2009-04-15 20:07:32 UTC (rev 22249)
@@ -92,11 +92,11 @@
 
 asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
 {
+    if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
     subbuf->base = subbuf->next = buf->next;
     if (!indef) {
+        if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
         subbuf->bound = subbuf->base + length - 1;
-        if (subbuf->bound > buf->bound)
-            return ASN1_OVERRUN;
     } else /* constructed indefinite */
         subbuf->bound = buf->bound;
     return 0;
@@ -205,6 +205,7 @@
 {
     unsigned int i;
 
+    if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
     if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
     if (len == 0) {
         *s = 0;
@@ -223,6 +224,7 @@
 {
     unsigned int i;
 
+    if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
     if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
     if (len == 0) {
         *s = 0;

More information about the cvs-krb5 mailing list