[3527] in Kerberos-V5-bugs
[krbdev.mit.edu #1216]
daemon@ATHENA.MIT.EDU (The RT System itself via RT)
Wed Oct 9 16:24:35 2002
Message-Id: <rt-1216-3170.11.5430184471819@krbdev.mit.edu>
In-Reply-To: <rt-1216@krbdev.mit.edu>
From: "The RT System itself via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Wed, 9 Oct 2002 16:23:07 -0400 (EDT)
From nalin@blade.devel.redhat.com Wed Oct 9 16:23:04 2002
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP
id QAA24755; Wed, 9 Oct 2002 16:23:04 -0400 (EDT)
Received: from blade.devel.redhat.com (nat-pool-rdu.redhat.com [66.187.233.200])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA28578
for <krb5-bugs@mit.edu>; Wed, 9 Oct 2002 16:23:03 -0400 (EDT)
Received: from blade.devel.redhat.com (localhost.localdomain [127.0.0.1])
by blade.devel.redhat.com (8.12.5/8.12.5) with ESMTP id g99KN9TG027961
for <krb5-bugs@mit.edu>; Wed, 9 Oct 2002 16:23:09 -0400
Received: (from nalin@localhost)
by blade.devel.redhat.com (8.12.5/8.12.5/Submit) id g99KN9ap027959;
Wed, 9 Oct 2002 16:23:09 -0400
Date: Wed, 9 Oct 2002 16:23:09 -0400
Message-Id: <200210092023.g99KN9ap027959@blade.devel.redhat.com>
To: krb5-bugs@mit.edu
From: nalin@redhat.com
Reply-To: nalin@redhat.com
X-send-pr-version: 3.99
>Submitter-Id: net
>Originator: Nalin Dahyabhai
>Confidential: no
>Synopsis:
>Severity: non-critical
>Priority: low
>Category: krb5-libs
>Class: sw-bug
>Release: krb5-1.2.6
System: Linux 2.4.18
Architecture: i686
glibc 2.2.x/2.3
>Description:
The res_search() function is allowed to return a result size
which is larger than the size of the buffer which is passed in
by the calling application (in this case, libkrb5) if the response
has to be truncated to fit into the buffer. libkrb5 does not
check for this.
>How-To-Repeat:
Configure a Kerberos client to use DNS to retrieve server
information for the local realm, and populate DNS with a large,
unique RRs for the queries libkrb5 will make.
>Fix:
A longer patch could retry a truncated request with a larger
buffer, but the simplest thing is to fail for too-large responses,
which is what should happen anyway if the library attempts to read
past the end of its buffer. This patch hasn't been thorougly
tested, but it looks correct:
--- src/lib/krb5/os/hst_realm.c 2002-10-09 14:03:04.000000000 -0400
+++ src/lib/krb5/os/hst_realm.c 2002-10-09 14:12:43.000000000 -0400
@@ -141,7 +141,7 @@
}
size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes));
- if (size < 0)
+ if ((size < sizeof(HEADER)) || (size > sizeof(answer.bytes))
return KRB5_ERR_HOST_REALM_UNKNOWN;
p = answer.bytes;
--- src/lib/krb5/os/locate_kdc.c 2002-10-09 14:15:57.000000000 -0400
+++ src/lib/krb5/os/locate_kdc.c 2002-10-09 14:59:26.000000000 -0400
@@ -391,7 +391,7 @@
size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
- if (size < hdrsize)
+ if ((size < hdrsize) || (size > sizeof(answer.bytes))
goto out;
/*
@@ -463,6 +463,8 @@
CHECK(p,2);
rdlen = NTOHSP(p,2);
+ CHECK(p,rdlen);
+
/*
* If this is an SRV record, process it. Record format is:
*
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
