From d15930bec22781473c2eaf72c08a145508b373ba Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 2 Aug 2021 23:15:12 -0400 Subject: [PATCH] Add more dump.c bounds checks Although dump files are privileged inputs, the code to read them should not admit integer overflows. Add bounds checks for several fields which are used as allocation lengths or are assigned to structure fields of smaller size and different signedness. Reported by Sharwan Ram and Kihong Keo. ticket: 9022 --- src/kadmin/dbutil/dump.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 634ba4a8bc..a89b5144f6 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -668,6 +668,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, } /* Get memory for flattened principal name */ + if (u2 > UINT_MAX / 2) { + load_err(fname, *linenop, _("cannot allocate principal (too large)")); + goto fail; + } name = malloc(u2 + 1); if (name == NULL) goto fail; @@ -682,6 +686,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, dbentry->n_tl_data = u3; /* Get memory for key list */ + if (u4 > INT16_MAX) { + load_err(fname, *linenop, _("invalid key_data size")); + goto fail; + } if (u4 && (kp = calloc(u4, sizeof(krb5_key_data))) == NULL) goto fail; @@ -769,13 +777,17 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, load_err(fname, *linenop, _("unsupported key_data_ver version")); goto fail; } + if (t2 < 0 || t2 > UINT16_MAX) { + load_err(fname, *linenop, _("invalid kvno")); + goto fail; + } kd->key_data_ver = t1; kd->key_data_kvno = t2; for (j = 0; j < t1; j++) { nread = fscanf(filep, "%d\t%d\t", &t3, &t4); - if (nread != 2 || t4 < 0) { + if (nread != 2 || t4 < 0 || t4 > UINT16_MAX) { load_err(fname, *linenop, _("cannot read key type and length")); goto fail; -- 2.47.2