summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTom Yu <tlyu@mit.edu>2009-04-07 21:22:20 +0000
committerTom Yu <tlyu@mit.edu>2009-04-07 21:22:20 +0000
commit9024676102cbd24d08f41fa3de7761d64f13db4d (patch)
treee280b6e5f77ba3746702395255d38ce92455e8d8 /src
parent19b0ab4fae79371e1ccdba38f262b3aa05c20a80 (diff)
downloadkrb5-9024676102cbd24d08f41fa3de7761d64f13db4d.tar.gz
krb5-9024676102cbd24d08f41fa3de7761d64f13db4d.tar.xz
krb5-9024676102cbd24d08f41fa3de7761d64f13db4d.zip
CVE-2009-0847 asn1buf_imbed incorrect length validation
asn1buf_imbed() can perform pointer arithmetic that causes the "bound" pointer of the subbuffer to be less than the "next" pointer. This can lead to malloc() failure or crash. In asn1buf_imbed(), check the length before doing arithmetic to set subbuf->bound. In asn1buf_remove_octetstring() and asn1buf_remove_charstring(), check for invalid buffer pointers before executing an unsigned length check against a (casted to size_t) negative number. ticket: 6444 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22175 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
-rw-r--r--src/lib/krb5/asn.1/asn1buf.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
index 5793a0303..8985140d4 100644
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -92,11 +92,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code)
asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
{
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
subbuf->base = subbuf->next = buf->next;
if (!indef) {
+ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
subbuf->bound = subbuf->base + length - 1;
- if (subbuf->bound > buf->bound)
- return ASN1_OVERRUN;
} else /* constructed indefinite */
subbuf->bound = buf->bound;
return 0;
@@ -205,6 +205,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len,
{
unsigned int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
@@ -223,6 +224,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len,
{
unsigned int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;