36 lines
1.3 KiB
Diff
36 lines
1.3 KiB
Diff
commit 3cf1a3ce1a409e647f9b8ca4497c26e6d066f293
|
|
Author: Steve Dickson <steved@redhat.com>
|
|
Date: Thu Jan 24 15:01:22 2008 -0500
|
|
|
|
Protect from buffer overflow in the GSS code.
|
|
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
diff -up libtirpc-0.1.7/src/svc_auth_gss.c.orig libtirpc-0.1.7/src/svc_auth_gss.c
|
|
--- libtirpc-0.1.7/src/svc_auth_gss.c.orig 2008-01-24 14:41:21.000000000 -0500
|
|
+++ libtirpc-0.1.7/src/svc_auth_gss.c 2008-01-24 14:59:31.000000000 -0500
|
|
@@ -294,6 +294,15 @@ svcauth_gss_validate(struct svc_rpc_gss_
|
|
memset(rpchdr, 0, sizeof(rpchdr));
|
|
|
|
/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
|
|
+ oa = &msg->rm_call.cb_cred;
|
|
+ if (oa->oa_length > MAX_AUTH_BYTES)
|
|
+ return (FALSE);
|
|
+
|
|
+ /* 8 XDR units from the IXDR macro calls. */
|
|
+ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
|
|
+ RNDUP(oa->oa_length)))
|
|
+ return (FALSE);
|
|
+
|
|
buf = (int32_t *)rpchdr;
|
|
IXDR_PUT_LONG(buf, msg->rm_xid);
|
|
IXDR_PUT_ENUM(buf, msg->rm_direction);
|
|
@@ -301,7 +310,6 @@ svcauth_gss_validate(struct svc_rpc_gss_
|
|
IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
|
|
IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
|
|
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
|
|
- oa = &msg->rm_call.cb_cred;
|
|
IXDR_PUT_ENUM(buf, oa->oa_flavor);
|
|
IXDR_PUT_LONG(buf, oa->oa_length);
|
|
if (oa->oa_length) {
|