diff options
author | Tom Yu <tlyu@mit.edu> | 2009-04-07 21:22:20 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2009-04-07 21:22:20 +0000 |
commit | 9024676102cbd24d08f41fa3de7761d64f13db4d (patch) | |
tree | e280b6e5f77ba3746702395255d38ce92455e8d8 /src/tests/verify | |
parent | 19b0ab4fae79371e1ccdba38f262b3aa05c20a80 (diff) | |
download | krb5-9024676102cbd24d08f41fa3de7761d64f13db4d.tar.gz krb5-9024676102cbd24d08f41fa3de7761d64f13db4d.tar.xz krb5-9024676102cbd24d08f41fa3de7761d64f13db4d.zip |
CVE-2009-0847 asn1buf_imbed incorrect length validation
asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer. This can
lead to malloc() failure or crash.
In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound. In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.
ticket: 6444
tags: pullup
target_version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22175 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/tests/verify')
0 files changed, 0 insertions, 0 deletions