[3034] in Kerberos-V5-bugs
krb5-appl/685: GSSAPI buf alloc problems in ftp/ftpd
daemon@ATHENA.MIT.EDU (fcusack@iconnet.net)
Sat Jan 23 20:22:07 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, fcusack@iconnet.net
Date: Sat, 23 Jan 1999 20:23:06 -0500 (EST)
From: fcusack@iconnet.net
Reply-To: fcusack@iconnet.net
To: krb5-bugs@MIT.EDU
Cc: fcusack@iconnet.net
>Number: 685
>Category: krb5-appl
>Synopsis: ftp/ftpd misallocates buffer space for GSSAPI
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sat Jan 23 20:22:00 EST 1999
>Last-Modified:
>Originator: Frank Cusack
>Organization:
Qwest Comm.
>Release: krb5-current-19981012
>Environment:
Unix
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
>Description:
secure.c, in secure_putbuf(), uses a static buffer for GSSAPI
(or KRB4) data. The size of this buffer is kept in the
static variable `bufsize'. For KRB4, this var is set correctly,
and apparently that code was partially copied for GSSAPI.
In the GSSAPI section, bufsize is set larger (by FUDGE_FACTOR)
than the actual space allocated; this could cause memory
corruption if the next call to secure_putbuf() that needs
a larger buffer is larger by <= FUDGE_FACTOR.
>How-To-Repeat:
>Fix:
Index: src/appl/gssftp/ftp/secure.c
===================================================================
RCS file: /icon/d04/src/3rd-party/krb5-19981012/src/appl/gssftp/ftp/secure.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 secure.c
--- secure.c 1998/10/14 00:47:31 1.1.1.1
+++ secure.c 1999/01/24 01:11:39
@@ -282,7 +282,7 @@
if (outbuf?
(outbuf = realloc(outbuf, (unsigned) out_buf.length)):
(outbuf = malloc((unsigned) out_buf.length))) {
- bufsize = nbyte + FUDGE_FACTOR;
+ bufsize = out_buf.length;
} else {
bufsize = 0;
secure_error("%s (in malloc of PROT buffer)",
>Audit-Trail:
>Unformatted:
