File krb5-1.6-MITKRB5-SA-2009-001.dif of Package krb5
--- src/lib/gssapi/spnego/spnego_mech.c
+++ src/lib/gssapi/spnego/spnego_mech.c 2009/04/03 11:52:31
@@ -54,8 +54,8 @@
/* der routines defined in libgss */
extern unsigned int gssint_der_length_size(OM_uint32);
-extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*);
-extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32);
+extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*);
+extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int);
/* private routines for spnego_mechanism */
@@ -1249,7 +1249,8 @@
}
cleanup:
if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
- tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech,
+ tmpret = make_spnego_tokenTarg_msg(negState,
+ sc ? sc->internal_mech : GSS_C_NO_OID,
&mechtok_out, mic_out,
return_token,
output_token);
@@ -1802,22 +1803,17 @@
get_input_token(unsigned char **buff_in, unsigned int buff_length)
{
gss_buffer_t input_token;
- unsigned int bytes;
+ unsigned int len;
- if (**buff_in != OCTET_STRING)
+ if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0)
return (NULL);
- (*buff_in)++;
input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc));
if (input_token == NULL)
return (NULL);
- input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes);
- if ((int)input_token->length == -1) {
- free(input_token);
- return (NULL);
- }
+ input_token->length = len;
input_token->value = malloc(input_token->length);
if (input_token->value == NULL) {
@@ -1869,8 +1865,8 @@
{
gss_OID_set returned_mechSet;
OM_uint32 major_status;
- OM_uint32 length;
- OM_uint32 bytes;
+ int length;
+ unsigned int bytes;
OM_uint32 set_length;
unsigned char *start;
int i;
@@ -1882,22 +1878,25 @@
(*buff_in)++;
length = gssint_get_der_length(buff_in, buff_length, &bytes);
+ if (length < 0 || buff_length - bytes < (unsigned int)length)
+ return NULL;
major_status = gss_create_empty_oid_set(minor_status,
&returned_mechSet);
if (major_status != GSS_S_COMPLETE)
return (NULL);
- for (set_length = 0, i = 0; set_length < length; i++) {
+ for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) {
gss_OID_desc *temp = get_mech_oid(minor_status, buff_in,
buff_length - (*buff_in - start));
- if (temp != NULL) {
- major_status = gss_add_oid_set_member(minor_status,
- temp, &returned_mechSet);
- if (major_status == GSS_S_COMPLETE) {
+ if (temp == NULL)
+ break;
+
+ major_status = gss_add_oid_set_member(minor_status,
+ temp, &returned_mechSet);
+ if (major_status == GSS_S_COMPLETE) {
set_length += returned_mechSet->elements[i].length +2;
generic_gss_release_oid(minor_status, &temp);
- }
}
}
@@ -2097,7 +2096,7 @@
return GSS_S_DEFECTIVE_TOKEN;
if (*ptr++ == SEQUENCE) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
}
if (REMAIN < 1)
@@ -2107,7 +2106,7 @@
if (tag == CONTEXT) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
if (g_get_tag_and_length(&ptr, ENUMERATED,
@@ -2128,7 +2127,7 @@
}
if (tag == (CONTEXT | 0x01)) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
*supportedMech = get_mech_oid(minor_status, &ptr, REMAIN);
@@ -2142,7 +2141,7 @@
}
if (tag == (CONTEXT | 0x02)) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
*responseToken = get_input_token(&ptr, REMAIN);
@@ -2156,7 +2155,7 @@
}
if (tag == (CONTEXT | 0x03)) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
*mechListMIC = get_input_token(&ptr, REMAIN);
@@ -2464,6 +2463,8 @@
if (outbuf == GSS_C_NO_BUFFER)
return (GSS_S_DEFECTIVE_TOKEN);
+ if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID)
+ return (GSS_S_DEFECTIVE_TOKEN);
outbuf->length = 0;
outbuf->value = NULL;
@@ -2715,7 +2716,7 @@
&encoded_len);
if (tmplen < 0) {
ret = -1;
- } else if (tmplen > buflen - (ptr - *buf)) {
+ } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) {
ret = -1;
} else
ret = 0;
--- src/lib/krb5/asn.1/asn1buf.c
+++ src/lib/krb5/asn.1/asn1buf.c 2009/03/19 09:22:15
@@ -78,11 +78,11 @@
asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
{
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
subbuf->base = subbuf->next = buf->next;
if (!indef) {
+ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
subbuf->bound = subbuf->base + length - 1;
- if (subbuf->bound > buf->bound)
- return ASN1_OVERRUN;
} else /* constructed indefinite */
subbuf->bound = buf->bound;
return 0;
@@ -200,6 +200,7 @@
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
@@ -218,6 +219,7 @@
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
