krb5/0025-Fix-various-issues-detected-by-static-analysis.patch

From 5464ad5b64f7ce7c3d78082352189af7c8feb95f Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 6 Sep 2024 17:18:11 +0200
Subject: [PATCH] Fix various issues detected by static analysis

(cherry picked from commit 53d352949941ee236461658d01f03c37abafc6f6)
---
 src/clients/klist/klist.c  | 13 +++++++------
 src/kadmin/dbutil/dump.c   |  5 +++++
 src/kdc/ndr.c              |  2 +-
 src/lib/kdb/decrypt_key.c  |  2 +-
 src/lib/rpc/svc_auth_gss.c |  5 ++++-
 src/lib/rpc/svc_udp.c      | 13 +++++++------
 src/util/support/threads.c |  2 --
 7 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 27cf0ee11b..9db66f6072 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -666,7 +666,7 @@ show_credential(krb5_creds *cred)
     krb5_error_code ret;
     krb5_ticket *tkt = NULL;
     char *name = NULL, *sname = NULL, *tktsname, *flags;
-    int extra_field = 0, ccol = 0, i;
+    int extra_field = 0, ccol = 0, i, r;
     krb5_boolean is_config = krb5_is_config_principal(context, cred->server);
 
     ret = krb5_unparse_name(context, cred->client, &name);
@@ -696,11 +696,12 @@ show_credential(krb5_creds *cred)
         fputs("config: ", stdout);
         ccol = 8;
         for (i = 1; i < cred->server->length; i++) {
-            ccol += printf("%s%.*s%s",
-                           i > 1 ? "(" : "",
-                           (int)cred->server->data[i].length,
-                           cred->server->data[i].data,
-                           i > 1 ? ")" : "");
+            r = printf("%s%.*s%s", i > 1 ? "(" : "",
+                                   (int)cred->server->data[i].length,
+                                   cred->server->data[i].data,
+                                   i > 1 ? ")" : "");
+            if (r >= 0)
+                ccol += r;
         }
         fputs(" = ", stdout);
         ccol += 3;
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 4d6cc0bdf9..feb053d834 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -704,6 +704,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
 
     dbentry->len = u1;
     dbentry->n_key_data = u4;
+
+    if (u5 > UINT16_MAX) {
+        load_err(fname, *linenop, _("invalid principal extra data size"));
+        goto fail;
+    }
     dbentry->e_length = u5;
 
     if (kp != NULL) {
diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
index d438408ee2..38be9fe42a 100644
--- a/src/kdc/ndr.c
+++ b/src/kdc/ndr.c
@@ -242,7 +242,7 @@ ndr_enc_delegation_info(struct pac_s4u_delegation_info *in, krb5_data *out)
 {
     krb5_error_code ret;
     size_t i;
-    struct k5buf b;
+    struct k5buf b = EMPTY_K5BUF;
     struct encoded_wchars pt_encoded = { 0 }, *tss_encoded = NULL;
     uint32_t pointer = 0;
 
diff --git a/src/lib/kdb/decrypt_key.c b/src/lib/kdb/decrypt_key.c
index 82bbed6312..c971793c9d 100644
--- a/src/lib/kdb/decrypt_key.c
+++ b/src/lib/kdb/decrypt_key.c
@@ -60,7 +60,7 @@ krb5_dbe_def_decrypt_key_data(krb5_context context, const krb5_keyblock *mkey,
                               krb5_keyblock *dbkey_out,
                               krb5_keysalt *keysalt_out)
 {
-    krb5_error_code ret;
+    krb5_error_code ret = KRB5_CRYPTO_INTERNAL;
     int16_t keylen;
     krb5_enc_data cipher;
     krb5_data plain = empty_data();
diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
index 98d601c8ab..461e5de542 100644
--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
@@ -297,7 +297,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
 	struct opaque_auth	*oa;
 	gss_buffer_desc		 rpcbuf, checksum;
 	OM_uint32		 maj_stat, min_stat, qop_state;
-	u_char			 rpchdr[128];
+	u_char			 rpchdr[32 + MAX_AUTH_BYTES];
 	int32_t			*buf;
 
 	log_debug("in svcauth_gss_validate()");
@@ -315,6 +315,8 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
 		return (FALSE);
 
 	buf = (int32_t *)(void *)rpchdr;
+
+        /* Write the 32 first bytes of the header. */
 	IXDR_PUT_LONG(buf, msg->rm_xid);
 	IXDR_PUT_ENUM(buf, msg->rm_direction);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
@@ -323,6 +325,7 @@ svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct r
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
+
 	if (oa->oa_length) {
 		memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
 		buf += RNDUP(oa->oa_length) / sizeof(int32_t);
diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c
index 8ecbdf2b33..3aff277eb7 100644
--- a/src/lib/rpc/svc_udp.c
+++ b/src/lib/rpc/svc_udp.c
@@ -248,8 +248,9 @@ static bool_t svcudp_reply(
 {
      struct svcudp_data *su = su_data(xprt);
      XDR *xdrs = &su->su_xdrs;
-     int slen;
+     u_int slen;
      bool_t stat = FALSE;
+     ssize_t r;
 
      xdrproc_t xdr_results = NULL;
      caddr_t xdr_location = 0;
@@ -272,12 +273,12 @@ static bool_t svcudp_reply(
      if (xdr_replymsg(xdrs, msg) &&
 	 (!has_args ||
 	  (SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
-	  slen = (int)XDR_GETPOS(xdrs);
-	  if (sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
-		     (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen)
-	      == slen) {
+	  slen = XDR_GETPOS(xdrs);
+	  r = sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,
+		     (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen);
+	  if (r >= 0 && (u_int)r == slen) {
 	       stat = TRUE;
-	       if (su->su_cache && slen >= 0) {
+	       if (su->su_cache) {
 		    cache_set(xprt, (uint32_t) slen);
 	       }
 	  }
diff --git a/src/util/support/threads.c b/src/util/support/threads.c
index be7e4c2e3f..4ded805b79 100644
--- a/src/util/support/threads.c
+++ b/src/util/support/threads.c
@@ -118,7 +118,6 @@ struct tsd_block {
 # pragma weak pthread_mutex_destroy
 # pragma weak pthread_mutex_init
 # pragma weak pthread_self
-# pragma weak pthread_equal
 # pragma weak pthread_getspecific
 # pragma weak pthread_setspecific
 # pragma weak pthread_key_create
@@ -151,7 +150,6 @@ int krb5int_pthread_loaded (void)
         || &pthread_mutex_destroy == 0
         || &pthread_mutex_init == 0
         || &pthread_self == 0
-        || &pthread_equal == 0
         /* Any program that's really multithreaded will have to be
            able to create threads.  */
         || &pthread_create == 0
-- 
2.46.0
krb5 1.21.1-4 - libkrad: implement support for Message-Authenticator (CVE-2024-3596) Resolves: RHEL-55423 - Fix various issues detected by static analysis Resolves: RHEL-58216 - Remove RSA protocol for PKINIT Resolves: RHEL-15323 Signed-off-by: Julien Rische <jrische@redhat.com> 2024-09-10 13:21:50 +00:00			`From 5464ad5b64f7ce7c3d78082352189af7c8feb95f Mon Sep 17 00:00:00 2001`
			`From: Julien Rische <jrische@redhat.com>`
			`Date: Fri, 6 Sep 2024 17:18:11 +0200`
			`Subject: [PATCH] Fix various issues detected by static analysis`

			`(cherry picked from commit 53d352949941ee236461658d01f03c37abafc6f6)`
			`---`
			`src/clients/klist/klist.c \| 13 +++++++------`
			`src/kadmin/dbutil/dump.c \| 5 +++++`
			`src/kdc/ndr.c \| 2 +-`
			`src/lib/kdb/decrypt_key.c \| 2 +-`
			`src/lib/rpc/svc_auth_gss.c \| 5 ++++-`
			`src/lib/rpc/svc_udp.c \| 13 +++++++------`
			`src/util/support/threads.c \| 2 --`
			`7 files changed, 25 insertions(+), 17 deletions(-)`

			`diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c`
			`index 27cf0ee11b..9db66f6072 100644`
			`--- a/src/clients/klist/klist.c`
			`+++ b/src/clients/klist/klist.c`
			`@@ -666,7 +666,7 @@ show_credential(krb5_creds *cred)`
			`krb5_error_code ret;`
			`krb5_ticket *tkt = NULL;`
			`char name = NULL, sname = NULL, tktsname, flags;`
			`- int extra_field = 0, ccol = 0, i;`
			`+ int extra_field = 0, ccol = 0, i, r;`
			`krb5_boolean is_config = krb5_is_config_principal(context, cred->server);`

			`ret = krb5_unparse_name(context, cred->client, &name);`
			`@@ -696,11 +696,12 @@ show_credential(krb5_creds *cred)`
			`fputs("config: ", stdout);`
			`ccol = 8;`
			`for (i = 1; i < cred->server->length; i++) {`
			`- ccol += printf("%s%.*s%s",`
			`- i > 1 ? "(" : "",`
			`- (int)cred->server->data[i].length,`
			`- cred->server->data[i].data,`
			`- i > 1 ? ")" : "");`
			`+ r = printf("%s%.*s%s", i > 1 ? "(" : "",`
			`+ (int)cred->server->data[i].length,`
			`+ cred->server->data[i].data,`
			`+ i > 1 ? ")" : "");`
			`+ if (r >= 0)`
			`+ ccol += r;`
			`}`
			`fputs(" = ", stdout);`
			`ccol += 3;`
			`diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c`
			`index 4d6cc0bdf9..feb053d834 100644`
			`--- a/src/kadmin/dbutil/dump.c`
			`+++ b/src/kadmin/dbutil/dump.c`
			`@@ -704,6 +704,11 @@ process_k5beta7_princ(krb5_context context, const char fname, FILE filep,`

			`dbentry->len = u1;`
			`dbentry->n_key_data = u4;`
			`+`
			`+ if (u5 > UINT16_MAX) {`
			`+ load_err(fname, *linenop, _("invalid principal extra data size"));`
			`+ goto fail;`
			`+ }`
			`dbentry->e_length = u5;`

			`if (kp != NULL) {`
			`diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c`
			`index d438408ee2..38be9fe42a 100644`
			`--- a/src/kdc/ndr.c`
			`+++ b/src/kdc/ndr.c`
			`@@ -242,7 +242,7 @@ ndr_enc_delegation_info(struct pac_s4u_delegation_info in, krb5_data out)`
			`{`
			`krb5_error_code ret;`
			`size_t i;`
			`- struct k5buf b;`
			`+ struct k5buf b = EMPTY_K5BUF;`
			`struct encoded_wchars pt_encoded = { 0 }, *tss_encoded = NULL;`
			`uint32_t pointer = 0;`

			`diff --git a/src/lib/kdb/decrypt_key.c b/src/lib/kdb/decrypt_key.c`
			`index 82bbed6312..c971793c9d 100644`
			`--- a/src/lib/kdb/decrypt_key.c`
			`+++ b/src/lib/kdb/decrypt_key.c`
			`@@ -60,7 +60,7 @@ krb5_dbe_def_decrypt_key_data(krb5_context context, const krb5_keyblock *mkey,`
			`krb5_keyblock *dbkey_out,`
			`krb5_keysalt *keysalt_out)`
			`{`
			`- krb5_error_code ret;`
			`+ krb5_error_code ret = KRB5_CRYPTO_INTERNAL;`
			`int16_t keylen;`
			`krb5_enc_data cipher;`
			`krb5_data plain = empty_data();`
			`diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c`
			`index 98d601c8ab..461e5de542 100644`
			`--- a/src/lib/rpc/svc_auth_gss.c`
			`+++ b/src/lib/rpc/svc_auth_gss.c`
			`@@ -297,7 +297,7 @@ svcauth_gss_validate(struct svc_req rqst, struct svc_rpc_gss_data gd, struct r`
			`struct opaque_auth *oa;`
			`gss_buffer_desc rpcbuf, checksum;`
			`OM_uint32 maj_stat, min_stat, qop_state;`
			`- u_char rpchdr[128];`
			`+ u_char rpchdr[32 + MAX_AUTH_BYTES];`
			`int32_t *buf;`

			`log_debug("in svcauth_gss_validate()");`
			`@@ -315,6 +315,8 @@ svcauth_gss_validate(struct svc_req rqst, struct svc_rpc_gss_data gd, struct r`
			`return (FALSE);`

			`buf = (int32_t )(void )rpchdr;`
			`+`
			`+ /* Write the 32 first bytes of the header. */`
			`IXDR_PUT_LONG(buf, msg->rm_xid);`
			`IXDR_PUT_ENUM(buf, msg->rm_direction);`
			`IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);`
			`@@ -323,6 +325,7 @@ svcauth_gss_validate(struct svc_req rqst, struct svc_rpc_gss_data gd, struct r`
			`IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);`
			`IXDR_PUT_ENUM(buf, oa->oa_flavor);`
			`IXDR_PUT_LONG(buf, oa->oa_length);`
			`+`
			`if (oa->oa_length) {`
			`memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);`
			`buf += RNDUP(oa->oa_length) / sizeof(int32_t);`
			`diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c`
			`index 8ecbdf2b33..3aff277eb7 100644`
			`--- a/src/lib/rpc/svc_udp.c`
			`+++ b/src/lib/rpc/svc_udp.c`
			`@@ -248,8 +248,9 @@ static bool_t svcudp_reply(`
			`{`
			`struct svcudp_data *su = su_data(xprt);`
			`XDR *xdrs = &su->su_xdrs;`
			`- int slen;`
			`+ u_int slen;`
			`bool_t stat = FALSE;`
			`+ ssize_t r;`

			`xdrproc_t xdr_results = NULL;`
			`caddr_t xdr_location = 0;`
			`@@ -272,12 +273,12 @@ static bool_t svcudp_reply(`
			`if (xdr_replymsg(xdrs, msg) &&`
			`(!has_args \|\|`
			`(SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {`
			`- slen = (int)XDR_GETPOS(xdrs);`
			`- if (sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,`
			`- (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen)`
			`- == slen) {`
			`+ slen = XDR_GETPOS(xdrs);`
			`+ r = sendto(xprt->xp_sock, rpc_buffer(xprt), slen, 0,`
			`+ (struct sockaddr *)&(xprt->xp_raddr), xprt->xp_addrlen);`
			`+ if (r >= 0 && (u_int)r == slen) {`
			`stat = TRUE;`
			`- if (su->su_cache && slen >= 0) {`
			`+ if (su->su_cache) {`
			`cache_set(xprt, (uint32_t) slen);`
			`}`
			`}`
			`diff --git a/src/util/support/threads.c b/src/util/support/threads.c`
			`index be7e4c2e3f..4ded805b79 100644`
			`--- a/src/util/support/threads.c`
			`+++ b/src/util/support/threads.c`
			`@@ -118,7 +118,6 @@ struct tsd_block {`
			`# pragma weak pthread_mutex_destroy`
			`# pragma weak pthread_mutex_init`
			`# pragma weak pthread_self`
			`-# pragma weak pthread_equal`
			`# pragma weak pthread_getspecific`
			`# pragma weak pthread_setspecific`
			`# pragma weak pthread_key_create`
			`@@ -151,7 +150,6 @@ int krb5int_pthread_loaded (void)`
			`\|\| &pthread_mutex_destroy == 0`
			`\|\| &pthread_mutex_init == 0`
			`\|\| &pthread_self == 0`
			`- \|\| &pthread_equal == 0`
			`/* Any program that's really multithreaded will have to be`
			`able to create threads. */`
			`\|\| &pthread_create == 0`
			`--`
			`2.46.0`