|
 |
42131c |
commit cf2e0082ce88fc2c75479c26a4b9f69f1b028c80
|
|
|
42131c |
Author: Steve Dickson <steved@redhat.com>
|
|
|
42131c |
Date: Thu May 29 09:40:59 2014 -0400
|
|
|
42131c |
|
|
|
42131c |
Avoid buffer overruns by allocating buffer in svcauth_gss_validate()
|
|
|
42131c |
|
|
|
42131c |
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
|
|
|
42131c |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
42131c |
|
|
|
42131c |
diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
|
|
|
42131c |
index 601a691..26c1065 100644
|
|
|
42131c |
--- a/src/svc_auth_gss.c
|
|
|
42131c |
+++ b/src/svc_auth_gss.c
|
|
|
42131c |
@@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
|
|
|
42131c |
struct opaque_auth *oa;
|
|
|
42131c |
gss_buffer_desc rpcbuf, checksum;
|
|
|
42131c |
OM_uint32 maj_stat, min_stat, qop_state;
|
|
|
42131c |
- u_char rpchdr[128];
|
|
|
42131c |
+ u_char *rpchdr;
|
|
|
42131c |
int32_t *buf;
|
|
|
42131c |
|
|
|
42131c |
gss_log_debug("in svcauth_gss_validate()");
|
|
|
42131c |
|
|
|
42131c |
- memset(rpchdr, 0, sizeof(rpchdr));
|
|
|
42131c |
-
|
|
|
42131c |
/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
|
|
|
42131c |
oa = &msg->rm_call.cb_cred;
|
|
|
42131c |
if (oa->oa_length > MAX_AUTH_BYTES)
|
|
|
42131c |
return (FALSE);
|
|
|
42131c |
-
|
|
|
42131c |
- /* 8 XDR units from the IXDR macro calls. */
|
|
|
42131c |
- if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
|
|
|
42131c |
- RNDUP(oa->oa_length)))
|
|
|
42131c |
+
|
|
|
42131c |
+ rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) +
|
|
|
42131c |
+ RNDUP(oa->oa_length)), 1);
|
|
|
42131c |
+ if (rpchdr == NULL)
|
|
|
42131c |
return (FALSE);
|
|
|
42131c |
|
|
|
42131c |
buf = (int32_t *)rpchdr;
|
|
|
42131c |
@@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
|
|
|
42131c |
maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
|
|
|
42131c |
&qop_state);
|
|
|
42131c |
|
|
|
42131c |
+ free(rpchdr);
|
|
|
42131c |
+
|
|
|
42131c |
if (maj_stat != GSS_S_COMPLETE) {
|
|
|
42131c |
gss_log_status("gss_verify_mic", maj_stat, min_stat);
|
|
|
42131c |
return (FALSE);
|