In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
(cherry picked from commit
d3c5450ddf0b20855e86dab41735d56c6860156b)
[tlyu@mit.edu: omitted pkinit and kdb5_util fixes because they're not
conservative]
ticket: 7545 (new)
version_fixed: 1.10.4
status: resolved
krb5_key_data *entry_key;
int i, k;
- keys = malloc(sizeof(krb5_keyblock) * (request->nktypes + 1));
+ keys = calloc(request->nktypes + 1, sizeof(krb5_keyblock));
if (keys == NULL)
return ENOMEM;
- memset(keys, 0, sizeof(krb5_keyblock) * (request->nktypes + 1));
k = 0;
for (i = 0; i < request->nktypes; i++) {
entry_key = NULL;
/* return length and data */
astream++;
savelen = *astream;
- if ((data->length = asn1length(&astream)) < 0) {
+ if ((length = asn1length(&astream)) < 0) {
return(-1);
}
+ data->length = length;
/* if the field length is indefinite, we will have to subtract two
(terminating octets) from the length returned since we don't want
to pass any info from the "wrapper" back. asn1length will always return
{
unsigned char *buf = *buf_in;
unsigned char *endptr = buf + cur_size;
- unsigned int seqsize;
+ int seqsize;
int ret = 0;
unsigned int bytes;
/*
* Make sure we have the entire buffer as described
*/
- if (buf + seqsize > endptr)
+ if (seqsize > endptr - buf)
return (G_BAD_TOK_HEADER);
} else {
return (G_BAD_TOK_HEADER);
/*
* Make sure we have the entire buffer as described
*/
- if (buf + bytes > endptr)
+ if (seqsize > endptr - buf)
return (G_BAD_TOK_HEADER);
} else {
return (G_BAD_TOK_HEADER);
projects / thirdparty / krb5.git / commitdiff
