The signed int tktLen is checked against a maximum size, then passed
as the unsigned size_t argument to memcpy. So we need to make sure it
isn’t negative.
This doesn’t appear to be exploitable: tktLen comes from the kernel,
which should have previously validated the length within the SETTOK
pioctl.
This bug was found with STACK <http://css.csail.mit.edu/stack/>.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-on: http://gerrit.openafs.org/11109
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit
9c10c202f1f2e516dde8b70c3a3b69a73d163070)
Change-Id: Id8dacdc00fd686d4f2ff234ffd6c8f5346d9e7b0
Reviewed-on: http://gerrit.openafs.org/11112
Reviewed-by: Perry Ruiter <pruiter@sinenomine.net>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
/* got token for cell; check that it will fit */
maxLen =
atokenLen - sizeof(struct ktc_token) + MAXKTCTICKETLEN;
- if (maxLen < tktLen) {
+ if (tktLen < 0 || tktLen > maxLen) {
UNLOCK_GLOBAL_MUTEX;
return KTC_TOOBIG;
}
maxLen =
sizeof(token) - sizeof(struct ktc_token) +
MAXKTCTICKETLEN;
- if (maxLen < tktLen)
+ if (tktLen < 0 || tktLen > maxLen)
return KTC_TOOBIG;
memcpy(token.ticket, stp, tktLen);
token.startTime = ct.BeginTimestamp;
projects / packages / o / openafs.git / commitdiff