diff options
| author | Ezra Peisach <epeisach@mit.edu> | 2001-10-26 22:14:31 +0000 |
|---|---|---|
| committer | Ezra Peisach <epeisach@mit.edu> | 2001-10-26 22:14:31 +0000 |
| commit | 8b9902db3c3dd546c6bba323221962011ecadcde (patch) | |
| tree | 7efbb8e4d3dc2c8391e059e40ffd895ebae4a36b /src | |
| parent | 5be277dece8cd97896c9f00779d0006513c10d3e (diff) | |
| download | krb5-8b9902db3c3dd546c6bba323221962011ecadcde.tar.gz krb5-8b9902db3c3dd546c6bba323221962011ecadcde.tar.xz krb5-8b9902db3c3dd546c6bba323221962011ecadcde.zip | |
* k5seal.c (make_seal_token_v1): Correct errors in code
pertaining to case when signing message only. Fixes buffer
overflows as found by gssapi dejagnu testsuite.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13868 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/gssapi/krb5/ChangeLog | 6 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/k5seal.c | 14 |
2 files changed, 15 insertions, 5 deletions
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index d5aa402f7f..2bc1ca9a6d 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,9 @@ +2001-10-26 Ezra Peisach <epeisach@mit.edu> + + * k5seal.c (make_seal_token_v1): Correct errors in code pertaining + to case when signing message only. Fixes buffer overflows as found + by gssapi dejagnu testsuite. + 2001-10-25 Sam Hartman <hartmans@mit.edu> * k5unseal.c (kg_unseal_v1): same here. diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index a8b10f6a5a..7ba53db27c 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -91,6 +91,7 @@ make_seal_token_v1 (krb5_context context, if (encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG))) conflen = kg_confounder_size(context, enc); else conflen = 0; + if (toktype == KG_TOK_SEAL_MSG) { switch (sealalg) { case SEAL_ALG_MICROSOFT_RC4: @@ -177,23 +178,26 @@ make_seal_token_v1 (krb5_context context, } memcpy(plain+conflen, text->value, text->length); - memset(plain+conflen+text->length, pad, pad); + if (pad) memset(plain+conflen+text->length, pad, pad); - /* compute the checksum */ + /* compute the checksum */ /* 8 = head of token body as specified by mech spec */ if (! (data_ptr = - (char *) xmalloc(8 + (bigend ? text->length : tmsglen)))) { + (char *) xmalloc(8 + + ((bigend || (toktype != KG_TOK_SEAL_MSG)) + ? text->length : tmsglen)))) { xfree(plain); xfree(t); return(ENOMEM); } (void) memcpy(data_ptr, ptr-2, 8); - if (bigend) + if (bigend || (toktype != KG_TOK_SEAL_MSG)) (void) memcpy(data_ptr+8, text->value, text->length); else (void) memcpy(data_ptr+8, plain, msglen); - plaind.length = 8 + (bigend ? text->length : msglen); + plaind.length = 8 + + ((bigend || (toktype != KG_TOK_SEAL_MSG))? text->length : msglen); plaind.data = data_ptr; code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq, sign_usage, &plaind, &md5cksum); |