Add more dump.c bounds checks

Although dump files are privileged inputs, the code to read them
should not admit integer overflows.  Add bounds checks for several
fields which are used as allocation lengths or are assigned to
structure fields of smaller size and different signedness.  Reported
by Sharwan Ram and Kihong Keo.

ticket: 9022

diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 634ba4a8bc0fcf95b5fa2cb8d33a5389bf042948..a89b5144f67ec92c428a13d1377897c40134f7aa 100644 (file)
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -668,6 +668,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
     }
 
     /* Get memory for flattened principal name */
+    if (u2 > UINT_MAX / 2) {
+        load_err(fname, *linenop, _("cannot allocate principal (too large)"));
+        goto fail;
+    }
     name = malloc(u2 + 1);
     if (name == NULL)
         goto fail;
@@ -682,6 +686,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
     dbentry->n_tl_data = u3;
 
     /* Get memory for key list */
+    if (u4 > INT16_MAX) {
+        load_err(fname, *linenop, _("invalid key_data size"));
+        goto fail;
+    }
     if (u4 && (kp = calloc(u4, sizeof(krb5_key_data))) == NULL)
         goto fail;
 
@@ -769,13 +777,17 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
             load_err(fname, *linenop, _("unsupported key_data_ver version"));
             goto fail;
         }
+        if (t2 < 0 || t2 > UINT16_MAX) {
+            load_err(fname, *linenop, _("invalid kvno"));
+            goto fail;
+        }
 
         kd->key_data_ver = t1;
         kd->key_data_kvno = t2;
 
         for (j = 0; j < t1; j++) {
             nread = fscanf(filep, "%d\t%d\t", &t3, &t4);
-            if (nread != 2 || t4 < 0) {
+            if (nread != 2 || t4 < 0 || t4 > UINT16_MAX) {
                 load_err(fname, *linenop,
                          _("cannot read key type and length"));
                 goto fail;