krb5 commit [krb5-1.10]: Fix various integer issues
Tom Yu
tlyu at MIT.EDU
Fri Jan 11 16:04:00 EST 2013
https://github.com/krb5/krb5/commit/8e31374995eaa4515323e56d1579ee7ad0ebc4ca
commit 8e31374995eaa4515323e56d1579ee7ad0ebc4ca
Author: Tom Yu <tlyu at mit.edu>
Date: Fri Jan 11 15:53:23 2013 -0500
Fix various integer issues
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai at csail.mit.edu>.
(cherry picked from commit d3c5450ddf0b20855e86dab41735d56c6860156b)
[tlyu at mit.edu: omitted pkinit and kdb5_util fixes because they're not
conservative]
ticket: 7545 (new)
version_fixed: 1.10.4
status: resolved
src/kdc/kdc_preauth.c | 3 +--
src/kdc/kdc_util.c | 3 ++-
src/lib/gssapi/spnego/spnego_mech.c | 6 +++---
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index d4ece3f..320bb38 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -507,11 +507,10 @@ client_keys(krb5_context context, krb5_kdcpreauth_rock rock,
krb5_key_data *entry_key;
int i, k;
- keys = malloc(sizeof(krb5_keyblock) * (request->nktypes + 1));
+ keys = calloc(request->nktypes + 1, sizeof(krb5_keyblock));
if (keys == NULL)
return ENOMEM;
- memset(keys, 0, sizeof(krb5_keyblock) * (request->nktypes + 1));
k = 0;
for (i = 0; i < request->nktypes; i++) {
entry_key = NULL;
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 94dad3a..0e0af5a 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1118,9 +1118,10 @@ fetch_asn1_field(unsigned char *astream, unsigned int level,
/* return length and data */
astream++;
savelen = *astream;
- if ((data->length = asn1length(&astream)) < 0) {
+ if ((length = asn1length(&astream)) < 0) {
return(-1);
}
+ data->length = length;
/* if the field length is indefinite, we will have to subtract two
(terminating octets) from the length returned since we don't want
to pass any info from the "wrapper" back. asn1length will always return
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 8665d4f..f916e49 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3957,7 +3957,7 @@ g_verify_neg_token_init(unsigned char **buf_in, unsigned int cur_size)
{
unsigned char *buf = *buf_in;
unsigned char *endptr = buf + cur_size;
- unsigned int seqsize;
+ int seqsize;
int ret = 0;
unsigned int bytes;
@@ -3981,7 +3981,7 @@ g_verify_neg_token_init(unsigned char **buf_in, unsigned int cur_size)
/*
* Make sure we have the entire buffer as described
*/
- if (buf + seqsize > endptr)
+ if (seqsize > endptr - buf)
return (G_BAD_TOK_HEADER);
} else {
return (G_BAD_TOK_HEADER);
@@ -3998,7 +3998,7 @@ g_verify_neg_token_init(unsigned char **buf_in, unsigned int cur_size)
/*
* Make sure we have the entire buffer as described
*/
- if (buf + bytes > endptr)
+ if (seqsize > endptr - buf)
return (G_BAD_TOK_HEADER);
} else {
return (G_BAD_TOK_HEADER);
More information about the cvs-krb5
mailing list