[krbdev.mit.edu #1216]

The RT System itself via RT rt-comment at krbdev.mit.edu
Wed Oct 9 16:23:07 EDT 2002 

>From nalin at blade.devel.redhat.com  Wed Oct  9 16:23:04 2002
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP
	id QAA24755; Wed, 9 Oct 2002 16:23:04 -0400 (EDT)
Received: from blade.devel.redhat.com (nat-pool-rdu.redhat.com [66.187.233.200])
	by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA28578
	for <krb5-bugs at mit.edu>; Wed, 9 Oct 2002 16:23:03 -0400 (EDT)
Received: from blade.devel.redhat.com (localhost.localdomain [127.0.0.1])
	by blade.devel.redhat.com (8.12.5/8.12.5) with ESMTP id g99KN9TG027961
	for <krb5-bugs at mit.edu>; Wed, 9 Oct 2002 16:23:09 -0400
Received: (from nalin at localhost)
	by blade.devel.redhat.com (8.12.5/8.12.5/Submit) id g99KN9ap027959;
	Wed, 9 Oct 2002 16:23:09 -0400
Date: Wed, 9 Oct 2002 16:23:09 -0400
Message-Id: <200210092023.g99KN9ap027959 at blade.devel.redhat.com>
To: krb5-bugs at mit.edu
From: nalin at redhat.com
Reply-To: nalin at redhat.com
X-send-pr-version: 3.99
>Submitter-Id: 	net
>Originator: 	Nalin Dahyabhai
>Confidential: 	no
>Synopsis: 	
>Severity: 	non-critical
>Priority: 	low
>Category: 	krb5-libs
>Class: 		sw-bug
>Release: 	krb5-1.2.6
System: Linux 2.4.18
Architecture: i686

glibc 2.2.x/2.3

>Description:
	The res_search() function is allowed to return a result size
	which is larger than the size of the buffer which is passed in
	by the calling application (in this case, libkrb5) if the response
	has to be truncated to fit into the buffer.  libkrb5 does not
	check for this.
>How-To-Repeat:
	Configure a Kerberos client to use DNS to retrieve server
	information for the local realm, and populate DNS with a large,
	unique RRs for the queries libkrb5 will make.
>Fix:
	A longer patch could retry a truncated request with a larger
	buffer, but the simplest thing is to fail for too-large responses,
	which is what should happen anyway if the library attempts to read
	past the end of its buffer.  This patch hasn't been thorougly
	tested, but it looks correct:

--- src/lib/krb5/os/hst_realm.c	2002-10-09 14:03:04.000000000 -0400
+++ src/lib/krb5/os/hst_realm.c	2002-10-09 14:12:43.000000000 -0400
@@ -141,7 +141,7 @@
     }
     size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes));
 
-    if (size < 0)
+    if ((size < sizeof(HEADER)) || (size > sizeof(answer.bytes))
 	return KRB5_ERR_HOST_REALM_UNKNOWN;
 
     p = answer.bytes;
--- src/lib/krb5/os/locate_kdc.c	2002-10-09 14:15:57.000000000 -0400
+++ src/lib/krb5/os/locate_kdc.c	2002-10-09 14:59:26.000000000 -0400
@@ -391,7 +391,7 @@
 
     size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
 
-    if (size < hdrsize)
+    if ((size < hdrsize) || (size > sizeof(answer.bytes))
 	goto out;
 
     /*
@@ -463,6 +463,8 @@
         CHECK(p,2);
 	rdlen = NTOHSP(p,2);
 
+	CHECK(p,rdlen);
+
 	/*
 	 * If this is an SRV record, process it.  Record format is:
 	 *

More information about the krb5-bugs mailing list