summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorneilbrown <neilbrown>2006-04-10 09:57:17 +0000
committerneilbrown <neilbrown>2006-04-10 09:57:17 +0000
commit660809fe7e597520d17deab9225f1b371c08d65c (patch)
treeb0da1b809f0f3ca6fac54b662486440998f9cea3
parentaa2d7a1e352a6c2190452ebc3c638b66a2cf6f9b (diff)
downloadnfs-utils-660809fe7e597520d17deab9225f1b371c08d65c.tar.gz
nfs-utils-660809fe7e597520d17deab9225f1b371c08d65c.tar.xz
nfs-utils-660809fe7e597520d17deab9225f1b371c08d65c.zip
2006-04-10 NeilBrown <neilb@suse.de>
Various paranoia checks: gssd_proc.c: pass max_field sizes to sscanf to avoid buffer overflow svcgssd_proc.c: range_check name.length, to ensure name.length+1 doesn't wrap idmapd.c(nfsdcb): make sure at least one byte is read before zeroing the last byte that was read, otherwise memory corruption is possible. Found by SuSE security audit.
Diffstat
-rw-r--r--ChangeLog12
-rw-r--r--utils/gssd/gssd_proc.c8
-rw-r--r--utils/gssd/svcgssd_proc.c3
-rw-r--r--utils/idmapd/idmapd.c5
4 files changed, 21 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 9151183..789d3b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2006-04-10 NeilBrown <neilb@suse.de>
+ Various paranoia checks:
+ gssd_proc.c: pass max_field sizes to sscanf to avoid buffer
+ overflow
+ svcgssd_proc.c: range_check name.length, to ensure name.length+1
+ doesn't wrap
+ idmapd.c(nfsdcb): make sure at least one byte is read before
+ zeroing the last byte that was read, otherwise memory corruption
+ is possible.
+
+ Found by SuSE security audit.
+
2006-04-10 "Kevin Coffman" <kwc@citi.umich.edu>
Check for sufficient version of librpcsecgss and libgssapi
in configure.in
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index bac0520..75a04f5 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -127,10 +127,10 @@ read_service_info(char *info_file_name, char **servicename, char **servername,
goto fail;
close(fd);
- numfields = sscanf(buf,"RPC server: %s\n"
- "service: %s %s version %s\n"
- "address: %s\n"
- "protocol: %s\n",
+ numfields = sscanf(buf,"RPC server: %127s\n"
+ "service: %127s %15s version %15s\n"
+ "address: %127s\n"
+ "protocol: %15s\n",
dummy,
service, program, version,
address,
diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c
index 14b7f17..b3a6ae8 100644
--- a/utils/gssd/svcgssd_proc.c
+++ b/utils/gssd/svcgssd_proc.c
@@ -200,7 +200,8 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
maj_stat, min_stat, mech);
goto out;
}
- if (!(sname = calloc(name.length + 1, 1))) {
+ if (name.length >= 0xffff || /* be certain name.length+1 doesn't overflow */
+ !(sname = calloc(name.length + 1, 1))) {
printerr(0, "WARNING: get_ids: error allocating %d bytes "
"for sname\n", name.length + 1);
gss_release_buffer(&min_stat, &name);
diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
index 5712edb..158feaf 100644
--- a/utils/idmapd/idmapd.c
+++ b/utils/idmapd/idmapd.c
@@ -547,9 +547,10 @@ nfsdcb(int fd, short which, void *data)
if (which != EV_READ)
goto out;
- if ((len = read(ic->ic_fd, buf, sizeof(buf))) == -1) {
+ if ((len = read(ic->ic_fd, buf, sizeof(buf))) <= 0) {
idmapd_warnx("nfsdcb: read(%s) failed: errno %d (%s)",
- ic->ic_path, errno, strerror(errno));
+ ic->ic_path, len?errno:0,
+ len?strerror(errno):"End of File");
goto out;
}
generated by cgit (git 2.34.1) at 2024-06-15 06:23:55 +0000