Prevent read overrun in svc_auth_gssapi

In gssrpc__svcauth_gssapi(), check that the client handle length is at
least 4, to prevent an out-of-bounds read by get_client().

[ghudson@mit.edu: combined length<4 check with length==0 check;
rewrote commit message]

ticket: 9201 (new)
tags: pullup
target_version: 1.22-next

diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index 267c1545bdf8d0bc9a2979b036634c4620f5655f..4be1e04331e3120461eecba8200ef6a66ae1d110 100644 (file)
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -253,8 +253,8 @@ enum auth_stat gssrpc__svcauth_gssapi(
               goto error;
          }
      } else {
-         if (creds.client_handle.length == 0) {
-              PRINTF(("svcauth_gssapi: expected non-empty creds\n"));
+         if (creds.client_handle.length < 4) {
+              PRINTF(("svcauth_gssapi: expected creds length at least 4\n"));
               LOG_MISCERR("protocol error in client credentials");
               ret = AUTH_FAILED;
               goto error;