fix CVE-2007-3999 svc_auth_gss.c buffer overflow

Make sure svcauth_gss_validate adequately checks oa->oa_length prior to copying into rpcbuf. ticket: new target_version: 1.6.3 tags: pullup component: krb5-libs git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19913 dc483132-0cff-0310-8789-dd5450dbe970
author: Tom Yu <tlyu@mit.edu> 2007-09-04 18:52:56 +0000
committer: Tom Yu <tlyu@mit.edu> 2007-09-04 18:52:56 +0000
commit: d9d289e5519303478acf1853a89a3e0fbf170463 (patch)
tree: 4b8c30b10607039a7282576e83e79efeb7000fc3 /src/lib
parent: 8f547d08883c960887cf0bd136c5425a9aadccb0 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
index e2c0777b6..bac560dc0 100644
--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
@@ -339,7 +339,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
 	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
-	if (oa->oa_length) {
+	if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) {
 		memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
 		buf += RNDUP(oa->oa_length) / sizeof(int32_t);
 	}
author	Tom Yu <tlyu@mit.edu>	2007-09-04 18:52:56 +0000
committer	Tom Yu <tlyu@mit.edu>	2007-09-04 18:52:56 +0000
commit	d9d289e5519303478acf1853a89a3e0fbf170463 (patch)
tree	4b8c30b10607039a7282576e83e79efeb7000fc3 /src/lib
parent	8f547d08883c960887cf0bd136c5425a9aadccb0 (diff)