diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-12-10 14:18:30 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-12-10 14:21:36 -0500 |
| commit | d3c5450ddf0b20855e86dab41735d56c6860156b (patch) | |
| tree | 1013b3c871ce2b5e72c925387115bdbb98853532 /src/kdc | |
| parent | db26cd1b6f422c20c062385e0daeb8c95137428d (diff) | |
| download | krb5-d3c5450ddf0b20855e86dab41735d56c6860156b.tar.gz krb5-d3c5450ddf0b20855e86dab41735d56c6860156b.tar.xz krb5-d3c5450ddf0b20855e86dab41735d56c6860156b.zip | |
Fix various integer issues
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
ticket: 7488
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/kdc_preauth.c | 3 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 3 |
2 files changed, 3 insertions, 3 deletions
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 29485a34d..42a37a848 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -470,11 +470,10 @@ client_keys(krb5_context context, krb5_kdcpreauth_rock rock, krb5_key_data *entry_key; int i, k; - keys = malloc(sizeof(krb5_keyblock) * (request->nktypes + 1)); + keys = calloc(request->nktypes + 1, sizeof(krb5_keyblock)); if (keys == NULL) return ENOMEM; - memset(keys, 0, sizeof(krb5_keyblock) * (request->nktypes + 1)); k = 0; for (i = 0; i < request->nktypes; i++) { entry_key = NULL; diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index ea11f54d1..a6a53a1c9 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -842,9 +842,10 @@ fetch_asn1_field(unsigned char *astream, unsigned int level, /* return length and data */ astream++; savelen = *astream; - if ((data->length = asn1length(&astream)) < 0) { + if ((length = asn1length(&astream)) < 0) { return(-1); } + data->length = length; /* if the field length is indefinite, we will have to subtract two (terminating octets) from the length returned since we don't want to pass any info from the "wrapper" back. asn1length will always return |