diff options
author | Greg Hudson <ghudson@mit.edu> | 2009-09-11 17:30:51 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2009-09-11 17:30:51 +0000 |
commit | 215629faacb495580aae9ad62a93f8b22c7d8165 (patch) | |
tree | 9dc44332cb79d728605420b4ddccb3a335b19af8 /src/lib | |
parent | d8b68c5a04658fc87960ddc9ca04aaa6b0fd03a4 (diff) | |
download | krb5-215629faacb495580aae9ad62a93f8b22c7d8165.tar.gz krb5-215629faacb495580aae9ad62a93f8b22c7d8165.tar.xz krb5-215629faacb495580aae9ad62a93f8b22c7d8165.zip |
Fix parsing of GSS exported names
Cherry-picked from Luke's authdata branch.
ticket: 6559
tags: pullup
target_version: 1.7.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22732 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/gssapi/krb5/import_name.c | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index 6879c766fa..440d36222b 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -56,7 +56,8 @@ krb5_gss_import_name(minor_status, input_name_buffer, krb5_context context; krb5_principal princ; krb5_error_code code; - char *stringrep, *tmp, *tmp2, *cp; + unsigned char *cp, *end; + char *stringrep, *tmp, *tmp2; OM_uint32 length; #ifndef NO_PASSWORD struct passwd *pw; @@ -155,7 +156,12 @@ krb5_gss_import_name(minor_status, input_name_buffer, goto do_getpwuid; #endif } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) { - cp = tmp; +#define BOUNDS_CHECK(cp, end, n) do { if ((end) - (cp) < (n)) \ + goto fail_name; } while (0) + cp = (unsigned char *)tmp; + end = cp + input_name_buffer->length; + + BOUNDS_CHECK(cp, end, 4); if (*cp++ != 0x04) goto fail_name; if (*cp++ != 0x01) @@ -163,20 +169,28 @@ krb5_gss_import_name(minor_status, input_name_buffer, if (*cp++ != 0x00) goto fail_name; length = *cp++; - if (length != gss_mech_krb5->length+2) + if (length != (ssize_t)gss_mech_krb5->length+2) goto fail_name; + + BOUNDS_CHECK(cp, end, 2); if (*cp++ != 0x06) goto fail_name; length = *cp++; if (length != gss_mech_krb5->length) goto fail_name; + + BOUNDS_CHECK(cp, end, length); if (memcmp(cp, gss_mech_krb5->elements, length) != 0) goto fail_name; cp += length; + + BOUNDS_CHECK(cp, end, 4); length = *cp++; length = (length << 8) | *cp++; length = (length << 8) | *cp++; length = (length << 8) | *cp++; + + BOUNDS_CHECK(cp, end, length); tmp2 = malloc(length+1); if (tmp2 == NULL) { xfree(tmp); @@ -184,7 +198,7 @@ krb5_gss_import_name(minor_status, input_name_buffer, krb5_free_context(context); return GSS_S_FAILURE; } - strncpy(tmp2, cp, length); + strncpy(tmp2, (char *)cp, length); tmp2[length] = 0; stringrep = tmp2; |