summaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2009-09-11 17:30:51 +0000
committerGreg Hudson <ghudson@mit.edu>2009-09-11 17:30:51 +0000
commit215629faacb495580aae9ad62a93f8b22c7d8165 (patch)
tree9dc44332cb79d728605420b4ddccb3a335b19af8 /src/lib
parentd8b68c5a04658fc87960ddc9ca04aaa6b0fd03a4 (diff)
downloadkrb5-215629faacb495580aae9ad62a93f8b22c7d8165.tar.gz
krb5-215629faacb495580aae9ad62a93f8b22c7d8165.tar.xz
krb5-215629faacb495580aae9ad62a93f8b22c7d8165.zip
Fix parsing of GSS exported names
Cherry-picked from Luke's authdata branch. ticket: 6559 tags: pullup target_version: 1.7.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22732 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/gssapi/krb5/import_name.c22
1 files changed, 18 insertions, 4 deletions
diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
index 6879c766fa..440d36222b 100644
--- a/src/lib/gssapi/krb5/import_name.c
+++ b/src/lib/gssapi/krb5/import_name.c
@@ -56,7 +56,8 @@ krb5_gss_import_name(minor_status, input_name_buffer,
krb5_context context;
krb5_principal princ;
krb5_error_code code;
- char *stringrep, *tmp, *tmp2, *cp;
+ unsigned char *cp, *end;
+ char *stringrep, *tmp, *tmp2;
OM_uint32 length;
#ifndef NO_PASSWORD
struct passwd *pw;
@@ -155,7 +156,12 @@ krb5_gss_import_name(minor_status, input_name_buffer,
goto do_getpwuid;
#endif
} else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
- cp = tmp;
+#define BOUNDS_CHECK(cp, end, n) do { if ((end) - (cp) < (n)) \
+ goto fail_name; } while (0)
+ cp = (unsigned char *)tmp;
+ end = cp + input_name_buffer->length;
+
+ BOUNDS_CHECK(cp, end, 4);
if (*cp++ != 0x04)
goto fail_name;
if (*cp++ != 0x01)
@@ -163,20 +169,28 @@ krb5_gss_import_name(minor_status, input_name_buffer,
if (*cp++ != 0x00)
goto fail_name;
length = *cp++;
- if (length != gss_mech_krb5->length+2)
+ if (length != (ssize_t)gss_mech_krb5->length+2)
goto fail_name;
+
+ BOUNDS_CHECK(cp, end, 2);
if (*cp++ != 0x06)
goto fail_name;
length = *cp++;
if (length != gss_mech_krb5->length)
goto fail_name;
+
+ BOUNDS_CHECK(cp, end, length);
if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
goto fail_name;
cp += length;
+
+ BOUNDS_CHECK(cp, end, 4);
length = *cp++;
length = (length << 8) | *cp++;
length = (length << 8) | *cp++;
length = (length << 8) | *cp++;
+
+ BOUNDS_CHECK(cp, end, length);
tmp2 = malloc(length+1);
if (tmp2 == NULL) {
xfree(tmp);
@@ -184,7 +198,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
krb5_free_context(context);
return GSS_S_FAILURE;
}
- strncpy(tmp2, cp, length);
+ strncpy(tmp2, (char *)cp, length);
tmp2[length] = 0;
stringrep = tmp2;