[krbdev.mit.edu #6444] SVN Commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Tue Apr 7 17:22:21 EDT 2009
asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer. This can
lead to malloc() failure or crash.
In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound. In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.
http://src.mit.edu/fisheye/changelog/krb5/?cs=22175
Commit By: tlyu
Revision: 22175
Changed Files:
U trunk/src/lib/krb5/asn.1/asn1buf.c
More information about the krb5-bugs
mailing list