From: Greg Hudson Date: Tue, 3 Aug 2021 03:15:12 +0000 (-0400) Subject: Add more dump.c bounds checks X-Git-Tag: krb5-1.20-beta1~62 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1206%2Fhead;p=thirdparty%2Fkrb5.git Add more dump.c bounds checks Although dump files are privileged inputs, the code to read them should not admit integer overflows. Add bounds checks for several fields which are used as allocation lengths or are assigned to structure fields of smaller size and different signedness. Reported by Sharwan Ram and Kihong Keo. ticket: 9022 --- diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 634ba4a8bc..a89b5144f6 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -668,6 +668,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, } /* Get memory for flattened principal name */ + if (u2 > UINT_MAX / 2) { + load_err(fname, *linenop, _("cannot allocate principal (too large)")); + goto fail; + } name = malloc(u2 + 1); if (name == NULL) goto fail; @@ -682,6 +686,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, dbentry->n_tl_data = u3; /* Get memory for key list */ + if (u4 > INT16_MAX) { + load_err(fname, *linenop, _("invalid key_data size")); + goto fail; + } if (u4 && (kp = calloc(u4, sizeof(krb5_key_data))) == NULL) goto fail; @@ -769,13 +777,17 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, load_err(fname, *linenop, _("unsupported key_data_ver version")); goto fail; } + if (t2 < 0 || t2 > UINT16_MAX) { + load_err(fname, *linenop, _("invalid kvno")); + goto fail; + } kd->key_data_ver = t1; kd->key_data_kvno = t2; for (j = 0; j < t1; j++) { nread = fscanf(filep, "%d\t%d\t", &t3, &t4); - if (nread != 2 || t4 < 0) { + if (nread != 2 || t4 < 0 || t4 > UINT16_MAX) { load_err(fname, *linenop, _("cannot read key type and length")); goto fail;