[31048] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add more dump.c bounds checks
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Aug 25 18:03:25 2021
Date: Wed, 25 Aug 2021 18:03:19 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202108252203.17PM3Jrw014288@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/d15930bec22781473c2eaf72c08a145508b373ba
commit d15930bec22781473c2eaf72c08a145508b373ba
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Aug 2 23:15:12 2021 -0400
Add more dump.c bounds checks
Although dump files are privileged inputs, the code to read them
should not admit integer overflows. Add bounds checks for several
fields which are used as allocation lengths or are assigned to
structure fields of smaller size and different signedness. Reported
by Sharwan Ram and Kihong Keo.
ticket: 9022
src/kadmin/dbutil/dump.c | 14 +++++++++++++-
1 files changed, 13 insertions(+), 1 deletions(-)
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 634ba4a..a89b514 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -668,6 +668,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
}
/* Get memory for flattened principal name */
+ if (u2 > UINT_MAX / 2) {
+ load_err(fname, *linenop, _("cannot allocate principal (too large)"));
+ goto fail;
+ }
name = malloc(u2 + 1);
if (name == NULL)
goto fail;
@@ -682,6 +686,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
dbentry->n_tl_data = u3;
/* Get memory for key list */
+ if (u4 > INT16_MAX) {
+ load_err(fname, *linenop, _("invalid key_data size"));
+ goto fail;
+ }
if (u4 && (kp = calloc(u4, sizeof(krb5_key_data))) == NULL)
goto fail;
@@ -769,13 +777,17 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
load_err(fname, *linenop, _("unsupported key_data_ver version"));
goto fail;
}
+ if (t2 < 0 || t2 > UINT16_MAX) {
+ load_err(fname, *linenop, _("invalid kvno"));
+ goto fail;
+ }
kd->key_data_ver = t1;
kd->key_data_kvno = t2;
for (j = 0; j < t1; j++) {
nread = fscanf(filep, "%d\t%d\t", &t3, &t4);
- if (nread != 2 || t4 < 0) {
+ if (nread != 2 || t4 < 0 || t4 > UINT16_MAX) {
load_err(fname, *linenop,
_("cannot read key type and length"));
goto fail;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
