6591024 kadmind vulnerable to stack buffer overflow in RPCSEC_GSS [ MITKRB-SA-2007-006 ]

author: pk193450 <none@none> 2007-09-20 00:59:05 -0700
committer: pk193450 <none@none> 2007-09-20 00:59:05 -0700
commit: a38dd497aa503e9d80665c24b521fee255609df4 (patch)
tree: 30217d8f70c444b19411d45a6a2591751b873913 /usr/src/lib/rpcsec_gss/svc_rpcsec_gss.c
parent: 97b92364ab8ce117c36c8ac5844c8d44bdda4299 (diff)
download: illumos-joyent-a38dd497aa503e9d80665c24b521fee255609df4.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/usr/src/lib/rpcsec_gss/svc_rpcsec_gss.c b/usr/src/lib/rpcsec_gss/svc_rpcsec_gss.c
index 4091e7cfdf..8471344a4e 100644
--- a/usr/src/lib/rpcsec_gss/svc_rpcsec_gss.c
+++ b/usr/src/lib/rpcsec_gss/svc_rpcsec_gss.c
@@ -1097,14 +1097,23 @@ check_verf(msg, context, qop_state)
 	 * We have to reconstruct the RPC header from the previously
 	 * parsed information, since we haven't kept the header intact.
 	 */
+
+	oa = &msg->rm_call.cb_cred;
+	if (oa->oa_length > MAX_AUTH_BYTES)
+		return (FALSE);
+
+	/* 8 XDR units from the IXDR macro calls. */
+	if (sizeof (hdr) < (8 * BYTES_PER_XDR_UNIT +
+			    RNDUP(oa->oa_length)))
+		return (FALSE);
 	buf = hdr;
+
 	IXDR_PUT_U_INT32(buf, msg->rm_xid);
 	IXDR_PUT_ENUM(buf, msg->rm_direction);
 	IXDR_PUT_U_INT32(buf, msg->rm_call.cb_rpcvers);
 	IXDR_PUT_U_INT32(buf, msg->rm_call.cb_prog);
 	IXDR_PUT_U_INT32(buf, msg->rm_call.cb_vers);
 	IXDR_PUT_U_INT32(buf, msg->rm_call.cb_proc);
-	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_U_INT32(buf, oa->oa_length);
 	if (oa->oa_length) {
author	pk193450 <none@none>	2007-09-20 00:59:05 -0700
committer	pk193450 <none@none>	2007-09-20 00:59:05 -0700
commit	a38dd497aa503e9d80665c24b521fee255609df4 (patch)
tree	30217d8f70c444b19411d45a6a2591751b873913 /usr/src/lib/rpcsec_gss/svc_rpcsec_gss.c
parent	97b92364ab8ce117c36c8ac5844c8d44bdda4299 (diff)
download	illumos-joyent-a38dd497aa503e9d80665c24b521fee255609df4.tar.gz