2006-04-10 NeilBrown <neilb@suse.de>

Various paranoia checks: gssd_proc.c: pass max_field sizes to sscanf to avoid buffer overflow svcgssd_proc.c: range_check name.length, to ensure name.length+1 doesn't wrap idmapd.c(nfsdcb): make sure at least one byte is read before zeroing the last byte that was read, otherwise memory corruption is possible. Found by SuSE security audit.
author: neilbrown <neilbrown> 2006-04-10 09:57:17 +0000
committer: neilbrown <neilbrown> 2006-04-10 09:57:17 +0000
commit: 660809fe7e597520d17deab9225f1b371c08d65c (patch)
tree: b0da1b809f0f3ca6fac54b662486440998f9cea3 /utils/gssd/svcgssd_proc.c
parent: aa2d7a1e352a6c2190452ebc3c638b66a2cf6f9b (diff)
download: nfs-utils-660809fe7e597520d17deab9225f1b371c08d65c.tar.gz
nfs-utils-660809fe7e597520d17deab9225f1b371c08d65c.tar.xz
nfs-utils-660809fe7e597520d17deab9225f1b371c08d65c.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c
index 14b7f17..b3a6ae8 100644
--- a/utils/gssd/svcgssd_proc.c
+++ b/utils/gssd/svcgssd_proc.c
@@ -200,7 +200,8 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
 			maj_stat, min_stat, mech);
 		goto out;
 	}
-	if (!(sname = calloc(name.length + 1, 1))) {
+	if (name.length >= 0xffff || /* be certain name.length+1 doesn't overflow */
+	    !(sname = calloc(name.length + 1, 1))) {
 		printerr(0, "WARNING: get_ids: error allocating %d bytes "
 			"for sname\n", name.length + 1);
 		gss_release_buffer(&min_stat, &name);
author	neilbrown <neilbrown>	2006-04-10 09:57:17 +0000
committer	neilbrown <neilbrown>	2006-04-10 09:57:17 +0000
commit	660809fe7e597520d17deab9225f1b371c08d65c (patch)
tree	b0da1b809f0f3ca6fac54b662486440998f9cea3 /utils/gssd/svcgssd_proc.c
parent	aa2d7a1e352a6c2190452ebc3c638b66a2cf6f9b (diff)
download	nfs-utils-660809fe7e597520d17deab9225f1b371c08d65c.tar.gz nfs-utils-660809fe7e597520d17deab9225f1b371c08d65c.tar.xz nfs-utils-660809fe7e597520d17deab9225f1b371c08d65c.zip