aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAssar Westerlund <assar@FreeBSD.org>2002-10-23 06:10:08 +0000
committerAssar Westerlund <assar@FreeBSD.org>2002-10-23 06:10:08 +0000
commitd5cb6584511270273468b9eb7731f15b795cf438 (patch)
tree76b48f5ed474f6f0c0c290bf371ccfc572830306
parenta3204abff5731d69ad1645481011f94a994d7d40 (diff)
downloadsrc-vendor/kerberosIV.tar.gz
src-vendor/kerberosIV.zip
import 1.29 to fix buffer overflow:vendor/kerberosIV
check the length of the authenticator and rlen Obtained from: Heimdal CVS
Notes
Notes: svn path=/vendor-crypto/kerberosIV/dist/; revision=105765
-rw-r--r--crypto/kerberosIV/kadmin/kadm_ser_wrap.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/crypto/kerberosIV/kadmin/kadm_ser_wrap.c b/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
index 196a89c8fe11..29f142c63661 100644
--- a/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
+++ b/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
@@ -117,16 +117,25 @@ kadm_ser_in(u_char **dat, int *dat_len, u_char *errdat)
u_char *retdat, *tmpdat;
int retval, retlen;
- if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+ if (*dat_len < (KADM_VERSIZE + sizeof(u_int32_t))
+ || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE) != 0) {
errpkt(errdat, dat, dat_len, KADM_BAD_VER);
return KADM_BAD_VER;
}
in_len = KADM_VERSIZE;
/* get the length */
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0 ||
+ (r_len > *dat_len - KADM_VERSIZE - sizeof(u_int32_t))) {
+ errpkt(errdat, dat, dat_len, KADM_LENGTH_ERROR);
return KADM_LENGTH_ERROR;
+ }
+
in_len += retc;
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_int32_t);
+ if (authent.length > MAX_KTXT_LEN) {
+ errpkt(errdat, dat, dat_len, KADM_LENGTH_ERROR);
+ return KADM_LENGTH_ERROR;
+ }
memcpy(authent.dat, (char *)(*dat) + in_len, authent.length);
authent.mbz = 0;
/* service key should be set before here */