krb5 commit: Add more dump.c bounds checks

Greg Hudson ghudson at mit.edu
Wed Aug 25 18:03:19 EDT 2021 

https://github.com/krb5/krb5/commit/d15930bec22781473c2eaf72c08a145508b373ba
commit d15930bec22781473c2eaf72c08a145508b373ba
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Aug 2 23:15:12 2021 -0400

    Add more dump.c bounds checks
    
    Although dump files are privileged inputs, the code to read them
    should not admit integer overflows.  Add bounds checks for several
    fields which are used as allocation lengths or are assigned to
    structure fields of smaller size and different signedness.  Reported
    by Sharwan Ram and Kihong Keo.
    
    ticket: 9022

 src/kadmin/dbutil/dump.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)

diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 634ba4a..a89b514 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -668,6 +668,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
     }
 
     /* Get memory for flattened principal name */
+    if (u2 > UINT_MAX / 2) {
+        load_err(fname, *linenop, _("cannot allocate principal (too large)"));
+        goto fail;
+    }
     name = malloc(u2 + 1);
     if (name == NULL)
         goto fail;
@@ -682,6 +686,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
     dbentry->n_tl_data = u3;
 
     /* Get memory for key list */
+    if (u4 > INT16_MAX) {
+        load_err(fname, *linenop, _("invalid key_data size"));
+        goto fail;
+    }
     if (u4 && (kp = calloc(u4, sizeof(krb5_key_data))) == NULL)
         goto fail;
 
@@ -769,13 +777,17 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
             load_err(fname, *linenop, _("unsupported key_data_ver version"));
             goto fail;
         }
+        if (t2 < 0 || t2 > UINT16_MAX) {
+            load_err(fname, *linenop, _("invalid kvno"));
+            goto fail;
+        }
 
         kd->key_data_ver = t1;
         kd->key_data_kvno = t2;
 
         for (j = 0; j < t1; j++) {
             nread = fscanf(filep, "%d\t%d\t", &t3, &t4);
-            if (nread != 2 || t4 < 0) {
+            if (nread != 2 || t4 < 0 || t4 > UINT16_MAX) {
                 load_err(fname, *linenop,
                          _("cannot read key type and length"));
                 goto fail;

More information about the cvs-krb5 mailing list