From 4474192dd3821cd44430c6afd0e133389393874e Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 6 Jan 2016 17:02:24 +1300
Subject: [PATCH] negotiate_kerberos_auth: check for overflow on count of group
 SIDs

When processing a Kerberos token the count of group SID records is
received from the remote end. Validate that the count given does not
exceed the possible length values on 32-bit systems.
 Detected by Coveriity Scan. Issues 1258701, 1258702,1258703
---
 .../kerberos/negotiate_kerberos_pac.cc        | 29 ++++++++++++++-----
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
index 9d8b85b980..57a5edc937 100644
--- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
+++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
@@ -203,20 +203,26 @@ getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t Gro
     }
 
     if (DomainLogonId!= 0) {
-        uint32_t nauth;
         uint8_t rev;
         uint64_t idauth;
         char dli[256];
         char *ag;
-        size_t length;
         int l;
 
         align(4);
 
-        nauth = get4byt();
+        uint32_t nauth = get4byt();
+
+        // check if nauth math will produce invalid length values on 32-bit
+        static uint32_t maxGidCount = (UINT32_MAX-1-1-6)/4;
+        if (nauth > maxGidCount) {
+            debug((char *) "%s| %s: ERROR: Too many groups ! count > %d : %s\n",
+                  LogTime(), PROGRAM, maxGidCount, ad_groups);
+            return NULL;
+        }
+        size_t length = 1+1+6+nauth*4;
 
         /* prepend rids with DomainID */
-        length=1+1+6+nauth*4;
         for (l=0; l<(int)GroupCount; l++) {
             ag=(char *)xcalloc((length+4)*sizeof(char),1);
             memcpy((void *)ag,(const void*)&p[bpos],1);
@@ -273,7 +279,6 @@ getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount)
         uint32_t ngroup;
         uint32_t *pa;
         char *ag;
-        size_t length;
         int l;
 
         align(4);
@@ -295,13 +300,21 @@ getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount)
             char es[256];
 
             if (pa[l] != 0) {
-                uint32_t nauth;
                 uint8_t rev;
                 uint64_t idauth;
 
-                nauth = get4byt();
+                uint32_t nauth = get4byt();
+
+                // check if nauth math will produce invalid length values on 32-bit
+                static uint32_t maxGidCount = (UINT32_MAX-1-1-6)/4;
+                if (nauth > maxGidCount) {
+                    debug((char *) "%s| %s: ERROR: Too many extra groups ! count > %d : %s\n",
+                          LogTime(), PROGRAM, maxGidCount, ad_groups);
+                    xfree(pa);
+                    return NULL;
+                }
 
-                length = 1+1+6+nauth*4;
+                size_t length = 1+1+6+nauth*4;
                 ag = (char *)xcalloc((length)*sizeof(char),1);
                 memcpy((void *)ag,(const void*)&p[bpos],length);
                 if (!ad_groups) {
-- 
2.47.3