git.michaelhowe.org Git - packages/o/openafs.git/commit

author	Anders Kaseorg <andersk@mit.edu>
	Sun, 4 May 2014 09:30:25 +0000 (05:30 -0400)
committer	Jeffrey Altman <jaltman@your-file-system.com>
	Sun, 4 May 2014 18:36:10 +0000 (14:36 -0400)
commit	9c10c202f1f2e516dde8b70c3a3b69a73d163070
tree	9050ad2551e08458960a513d886f2e2365e2eb3e	tree \| snapshot
parent	279345c231d0a2d9f6e8c2f76a5347bafd40e70b	commit \| diff

Fix buffer length validation in ktc_GetToken and knfs

The signed int tktLen is checked against a maximum size, then passed
as the unsigned size_t argument to memcpy. So we need to make sure it
isn’t negative.

This doesn’t appear to be exploitable: tktLen comes from the kernel,
which should have previously validated the length within the SETTOK
pioctl.

This bug was found with STACK <http://css.csail.mit.edu/stack/>.

Change-Id: I781bd300cad3d725d3517e7f6ac9e6423c417087
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-on: http://gerrit.openafs.org/11109
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>

src/auth/ktc.c		diff \| blob \| history
src/kauth/knfs.c		diff \| blob \| history