diff options
author | Nalin Dahyabhai <nalin@fedoraproject.org> | 2009-04-07 18:14:43 +0000 |
---|---|---|
committer | Nalin Dahyabhai <nalin@fedoraproject.org> | 2009-04-07 18:14:43 +0000 |
commit | e96b2fa56463a7227ca02e66c1647d5e55ff13fa (patch) | |
tree | 3d48e6982f594ce92c7bce71390cacbab1afecfc | |
parent | 85db43f655a4989e3fa6c498e02c13ecf608d09e (diff) | |
download | krb5-e96b2fa56463a7227ca02e66c1647d5e55ff13fa.tar.gz krb5-e96b2fa56463a7227ca02e66c1647d5e55ff13fa.tar.xz krb5-e96b2fa56463a7227ca02e66c1647d5e55ff13fa.zip |
- add patches for read overflow and null pointer dereference in the
implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845)
-rw-r--r-- | krb5-CVE-2009-0844-0845-2.patch | 157 |
1 files changed, 157 insertions, 0 deletions
diff --git a/krb5-CVE-2009-0844-0845-2.patch b/krb5-CVE-2009-0844-0845-2.patch new file mode 100644 index 0000000..a34658b --- /dev/null +++ b/krb5-CVE-2009-0844-0845-2.patch @@ -0,0 +1,157 @@ +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 832abe6..4384708 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -54,8 +54,8 @@ typedef const gss_OID_desc *gss_OID_const; + + /* der routines defined in libgss */ + extern unsigned int gssint_der_length_size(OM_uint32); +-extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*); +-extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32); ++extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*); ++extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int); + + + /* private routines for spnego_mechanism */ +@@ -1249,7 +1249,8 @@ spnego_gss_accept_sec_context(void *ct, + } + cleanup: + if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { +- tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, ++ tmpret = make_spnego_tokenTarg_msg(negState, ++ sc ? sc->internal_mech : GSS_C_NO_OID, + &mechtok_out, mic_out, + return_token, + output_token); +@@ -1802,22 +1803,16 @@ static gss_buffer_t + get_input_token(unsigned char **buff_in, unsigned int buff_length) + { + gss_buffer_t input_token; +- unsigned int bytes; ++ unsigned int len; + +- if (**buff_in != OCTET_STRING) ++ if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0) + return (NULL); + +- (*buff_in)++; + input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc)); +- + if (input_token == NULL) + return (NULL); + +- input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); +- if ((int)input_token->length == -1) { +- free(input_token); +- return (NULL); +- } ++ input_token->length = len; + input_token->value = malloc(input_token->length); + + if (input_token->value == NULL) { +@@ -1869,8 +1864,8 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, + { + gss_OID_set returned_mechSet; + OM_uint32 major_status; +- OM_uint32 length; +- OM_uint32 bytes; ++ int length; ++ unsigned int bytes; + OM_uint32 set_length; + unsigned char *start; + int i; +@@ -1882,22 +1877,25 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, + (*buff_in)++; + + length = gssint_get_der_length(buff_in, buff_length, &bytes); ++ if (length < 0 || buff_length - bytes < (unsigned int)length) ++ return NULL; + + major_status = gss_create_empty_oid_set(minor_status, + &returned_mechSet); + if (major_status != GSS_S_COMPLETE) + return (NULL); + +- for (set_length = 0, i = 0; set_length < length; i++) { ++ for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) { + gss_OID_desc *temp = get_mech_oid(minor_status, buff_in, + buff_length - (*buff_in - start)); +- if (temp != NULL) { +- major_status = gss_add_oid_set_member(minor_status, +- temp, &returned_mechSet); +- if (major_status == GSS_S_COMPLETE) { ++ if (temp == NULL) ++ break; ++ ++ major_status = gss_add_oid_set_member(minor_status, ++ temp, &returned_mechSet); ++ if (major_status == GSS_S_COMPLETE) { + set_length += returned_mechSet->elements[i].length +2; + generic_gss_release_oid(minor_status, &temp); +- } + } + } + +@@ -2097,7 +2095,7 @@ get_negTokenResp(OM_uint32 *minor_status, + return GSS_S_DEFECTIVE_TOKEN; + if (*ptr++ == SEQUENCE) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + } + if (REMAIN < 1) +@@ -2107,7 +2105,7 @@ get_negTokenResp(OM_uint32 *minor_status, + + if (tag == CONTEXT) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + + if (g_get_tag_and_length(&ptr, ENUMERATED, +@@ -2128,7 +2126,7 @@ get_negTokenResp(OM_uint32 *minor_status, + } + if (tag == (CONTEXT | 0x01)) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + + *supportedMech = get_mech_oid(minor_status, &ptr, REMAIN); +@@ -2142,7 +2140,7 @@ get_negTokenResp(OM_uint32 *minor_status, + } + if (tag == (CONTEXT | 0x02)) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + + *responseToken = get_input_token(&ptr, REMAIN); +@@ -2156,7 +2154,7 @@ get_negTokenResp(OM_uint32 *minor_status, + } + if (tag == (CONTEXT | 0x03)) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + + *mechListMIC = get_input_token(&ptr, REMAIN); +@@ -2464,6 +2462,8 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted, + + if (outbuf == GSS_C_NO_BUFFER) + return (GSS_S_DEFECTIVE_TOKEN); ++ if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID) ++ return (GSS_S_DEFECTIVE_TOKEN); + + outbuf->length = 0; + outbuf->value = NULL; +@@ -2715,7 +2715,7 @@ g_get_tag_and_length(unsigned char **buf, int tag, + &encoded_len); + if (tmplen < 0) { + ret = -1; +- } else if (tmplen > buflen - (ptr - *buf)) { ++ } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) { + ret = -1; + } else + ret = 0; |