krb5_error_code KRB5_CALLCONV
krb5_ser_unpack_int64(int64_t *, krb5_octet **, size_t *);
+krb5_error_code
+k5_ser_unpack_len(size_t *len_out, krb5_octet **bufp, size_t *remainp);
+
/* [De]serialize byte string */
krb5_error_code KRB5_CALLCONV
krb5_ser_pack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
free(oid);
return EINVAL;
}
+ if (ibuf < 0 || (size_t)ibuf > remain) {
+ free(oid);
+ return EINVAL;
+ }
oid->length = ibuf;
oid->elements = malloc((size_t)ibuf);
if (oid->elements == 0) {
/* authdata */
if (!kret)
kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ if (!kret && (ibuf < 0 || (size_t)ibuf > remain))
+ kret = ENOMEM;
if (!kret) {
krb5_int32 nadata = ibuf, i;
size_t *lenremain)
{
krb5_error_code code = 0;
- krb5_int32 i, count;
krb5_octet *bp;
- size_t remain;
+ size_t remain, count, i;
bp = *buffer;
remain = *lenremain;
- code = krb5_ser_unpack_int32(&count, &bp, &remain);
+ code = k5_ser_unpack_len(&count, &bp, &remain);
if (code != 0)
return code;
krb5_error_code ret;
int32_t ibuf;
uint8_t *bp;
- size_t remain;
+ size_t remain, len;
krb5_pac pac = NULL;
bp = *buffer;
remain = *lenremain;
- /* length */
- ret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ ret = k5_ser_unpack_len(&len, &bp, &remain);
if (ret)
return ret;
- if (ibuf != 0) {
- ret = krb5_pac_parse(context, bp, ibuf, &pac);
+ if (len > 0) {
+ ret = krb5_pac_parse(context, bp, len, &pac);
if (ret)
return ret;
- bp += ibuf;
- remain -= ibuf;
+ bp += len;
+ remain -= len;
}
/* verified */
krb5_auth_context auth_context;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
- krb5_int32 cstate_len;
+ size_t remain, cstate_len;
krb5_int32 tag;
bp = *buffer;
auth_context->safe_cksumtype = (krb5_cksumtype) ibuf;
/* Get length of cstate */
- (void) krb5_ser_unpack_int32(&cstate_len, &bp, &remain);
+ (void) k5_ser_unpack_len(&cstate_len, &bp, &remain);
if (cstate_len) {
kret = alloc_data(&auth_context->cstate, cstate_len);
krb5_authdata *authdata;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
+ size_t remain, len;
bp = *buffer;
remain = *lenremain;
authdata->ad_type = (krb5_authdatatype) ibuf;
/* Get the length */
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- authdata->length = (int) ibuf;
+ (void) k5_ser_unpack_len(&len, &bp, &remain);
+ authdata->length = len;
/* Get the string */
- if ((authdata->contents = (krb5_octet *)
- malloc((size_t) (ibuf))) &&
- !(kret = krb5_ser_unpack_bytes(authdata->contents,
- (size_t) ibuf,
+ authdata->contents = malloc(len);
+ if (authdata->contents != NULL &&
+ !(kret = krb5_ser_unpack_bytes(authdata->contents, len,
&bp, &remain))) {
if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
ibuf = 0;
krb5_address *address;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
+ size_t remain, len;
bp = *buffer;
remain = *lenremain;
address->addrtype = (krb5_addrtype) ibuf;
/* Get the length */
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- address->length = (int) ibuf;
+ (void) k5_ser_unpack_len(&len, &bp, &remain);
+ address->length = len;
/* Get the string */
- if ((address->contents = (krb5_octet *) malloc((size_t) (ibuf))) &&
- !(kret = krb5_ser_unpack_bytes(address->contents,
- (size_t) ibuf,
+ address->contents = malloc(len);
+ if (address->contents != NULL &&
+ !(kret = krb5_ser_unpack_bytes(address->contents, len,
&bp, &remain))) {
/* Get the trailer */
if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
krb5_authenticator *authenticator;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
- int i;
- krb5_int32 nadata;
- size_t len;
+ size_t remain, len, i;
bp = *buffer;
remain = *lenremain;
}
/* Attempt to read in the authorization data count */
- if (!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) {
- nadata = ibuf;
- len = (size_t) (nadata + 1);
-
+ kret = k5_ser_unpack_len(&len, &bp, &remain);
+ if (!kret) {
/* Get memory for the authorization data pointers */
if ((authenticator->authorization_data = (krb5_authdata **)
- calloc(len, sizeof(krb5_authdata *)))) {
- for (i=0; !kret && (i<nadata); i++) {
+ calloc(len + 1, sizeof(krb5_authdata *)))) {
+ for (i = 0; !kret && i < len; i++) {
kret = k5_internalize_authdata(&authenticator->
authorization_data[i],
&bp, &remain);
krb5_checksum *checksum;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
+ size_t remain, len;
bp = *buffer;
remain = *lenremain;
checksum->checksum_type = (krb5_cksumtype) ibuf;
/* Get the length */
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- checksum->length = (int) ibuf;
+ (void) k5_ser_unpack_len(&len, &bp, &remain);
+ checksum->length = len;
/* Get the string */
- if (!ibuf ||
- ((checksum->contents = (krb5_octet *)
- malloc((size_t) (ibuf))) &&
- !(kret = krb5_ser_unpack_bytes(checksum->contents,
- (size_t) ibuf,
+ if (!len ||
+ ((checksum->contents = malloc(len)) &&
+ !(kret = krb5_ser_unpack_bytes(checksum->contents, len,
&bp, &remain)))) {
/* Get the trailer */
krb5_context context;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
- unsigned int i, count;
+ size_t remain, len, count, i;
bp = *buffer;
remain = *lenremain;
return (ENOMEM);
/* Get the size of the default realm */
- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
+ kret = k5_ser_unpack_len(&len, &bp, &remain);
+ if (kret)
goto cleanup;
- if (ibuf) {
- context->default_realm = (char *) malloc((size_t) ibuf+1);
+ if (len > 0) {
+ context->default_realm = malloc(len + 1);
if (!context->default_realm) {
kret = ENOMEM;
goto cleanup;
}
kret = krb5_ser_unpack_bytes((krb5_octet *) context->default_realm,
- (size_t) ibuf, &bp, &remain);
+ len, &bp, &remain);
if (kret)
goto cleanup;
- context->default_realm[ibuf] = '\0';
+ context->default_realm[len] = '\0';
}
/* Get the tgs_etypes */
- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
+ kret = k5_ser_unpack_len(&count, &bp, &remain);
+ if (kret)
goto cleanup;
- count = ibuf;
if (count > 0) {
context->tgs_etypes = calloc(count + 1, sizeof(krb5_enctype));
if (!context->tgs_etypes) {
krb5_keyblock *keyblock;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
+ size_t remain, len;
bp = *buffer;
remain = *lenremain;
keyblock->enctype = (krb5_enctype) ibuf;
/* Get the length */
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- keyblock->length = (int) ibuf;
+ (void) k5_ser_unpack_len(&len, &bp, &remain);
+ keyblock->length = len;
/* Get the string */
- if ((keyblock->contents = (krb5_octet *) malloc((size_t) (ibuf)))&&
- !(kret = krb5_ser_unpack_bytes(keyblock->contents,
- (size_t) ibuf,
+ if ((keyblock->contents = malloc(len)) &&
+ !(kret = krb5_ser_unpack_bytes(keyblock->contents, len,
&bp, &remain))) {
kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
if (!kret && (ibuf == KV5M_KEYBLOCK)) {
krb5_principal principal = NULL;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
+ size_t remain, len;
char *tmpname = NULL;
*argp = NULL;
return EINVAL;
/* Read the principal name */
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+ kret = k5_ser_unpack_len(&len, &bp, &remain);
if (kret)
return kret;
- tmpname = malloc(ibuf + 1);
- kret = krb5_ser_unpack_bytes((krb5_octet *) tmpname, (size_t) ibuf,
- &bp, &remain);
+ tmpname = malloc(len + 1);
+ kret = krb5_ser_unpack_bytes((krb5_octet *) tmpname, len, &bp, &remain);
if (kret)
goto cleanup;
- tmpname[ibuf] = '\0';
+ tmpname[len] = '\0';
/* Parse the name to a principal structure */
kret = krb5_parse_name_flags(NULL, tmpname,
return(ENOMEM);
}
+/* Unpack a 4-byte integer and verify that it is no larger than the number of
+ * remaining bytes. */
+krb5_error_code
+k5_ser_unpack_len(size_t *len_out, krb5_octet **bufp, size_t *remainp)
+{
+ krb5_error_code ret;
+ int32_t n;
+
+ *len_out = 0;
+ ret = krb5_ser_unpack_int32(&n, bufp, remainp);
+ if (ret)
+ return ret;
+ if (n < 0 || (size_t)n > *remainp)
+ return ENOMEM;
+ *len_out = n;
+ return 0;
+}
+
/*
* krb5_ser_unpack_bytes() - Unpack a byte string if it's there.
*/
k5_rc_get_name
k5_rc_resolve
k5_rc_store
+k5_ser_unpack_len
k5_size_auth_context
k5_size_authdata
k5_size_authdata_context
code = krb5_ser_unpack_int32(&length, &bp, &remain);
if (code != 0)
return code;
+ if (length < 0 || (size_t)length > remain)
+ return ENOMEM;
/* Greeting Contents */
if (length != 0) {
projects / thirdparty / krb5.git / commitdiff
