rpms / libtirpc

Clone
Source Code
GIT

Blame SOURCES/libtirpc-0.2.4-svc-buffer-overflow.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7-alt
  2.   SOURCES
  3.   libtirpc-0.2.4-svc-buffer-overflow.patch
Blob History Raw
b52932 
commit cf2e0082ce88fc2c75479c26a4b9f69f1b028c80
b52932 
Author: Steve Dickson <steved@redhat.com>
b52932 
Date:   Thu May 29 09:40:59 2014 -0400
b52932
b52932 
    Avoid buffer overruns by allocating buffer in svcauth_gss_validate()
b52932
b52932 
    Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
b52932 
    Signed-off-by: Steve Dickson <steved@redhat.com>
b52932
b52932 
diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
b52932 
index 601a691..26c1065 100644
b52932 
--- a/src/svc_auth_gss.c
b52932 
+++ b/src/svc_auth_gss.c
b52932 
@@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
b52932 
 	struct opaque_auth	*oa;
b52932 
 	gss_buffer_desc		 rpcbuf, checksum;
b52932 
 	OM_uint32		 maj_stat, min_stat, qop_state;
b52932 
-	u_char			 rpchdr[128];
b52932 
+	u_char			 *rpchdr;
b52932 
 	int32_t			*buf;
b52932
b52932 
 	gss_log_debug("in svcauth_gss_validate()");
b52932
b52932 
-	memset(rpchdr, 0, sizeof(rpchdr));
b52932 
-
b52932 
 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
b52932 
 	oa = &msg->rm_call.cb_cred;
b52932 
 	if (oa->oa_length > MAX_AUTH_BYTES)
b52932 
 		return (FALSE);
b52932 
-
b52932 
-	/* 8 XDR units from the IXDR macro calls. */
b52932 
-	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
b52932 
-			RNDUP(oa->oa_length)))
b52932 
+
b52932 
+	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) +
b52932 
+			RNDUP(oa->oa_length)), 1);
b52932 
+	if (rpchdr == NULL)
b52932 
 		return (FALSE);
b52932
b52932 
 	buf = (int32_t *)rpchdr;
b52932 
@@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
b52932 
 	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
b52932 
 				  &qop_state);
b52932
b52932 
+	free(rpchdr);
b52932 
+
b52932 
 	if (maj_stat != GSS_S_COMPLETE) {
b52932 
 		gss_log_status("gss_verify_mic", maj_stat, min_stat);
b52932 
 		return (FALSE);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation