XDR security fix

diff --git a/debian/changelog b/debian/changelog
index 526d9cd1f129e3aced28ef92890ccefd07014f94..612ff8445bc146f5678edb03fa947c6a3817e266 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+openafs (1.2.3final2-6) stable-security; urgency=high
+
+  * Security problem: fix XDR buffer overflow based on upstream advisory.
+
+ -- Sam Hartman <hartmans@debian.org>  Sat,  3 Aug 2002 17:29:30 -0400
+
 openafs (1.2.3final2-5) unstable; urgency=medium
 
   * Fix subarch handling, closes: #139662

diff --git a/debian/xdr-integer-overflow.patch b/debian/xdr-integer-overflow.patch
new file mode 100644 (file)
index 0000000..cf1db07
--- /dev/null
+++ b/debian/xdr-integer-overflow.patch
@@ -0,0 +1,70 @@
+===================================================================
+RCS file: /cvs/openafs/src/rx/Makefile.in,v
+retrieving revision 1.4.2.1
+retrieving revision 1.4.2.2
+diff -u -r1.4.2.1 -r1.4.2.2
+--- openafs/src/rx/Makefile.in 2002/01/20 08:38:38     1.4.2.1
++++ openafs/src/rx/Makefile.in 2002/08/02 02:45:14     1.4.2.2
+@@ -38,7 +38,7 @@
+ # Generic xdr objects (or, at least, xdr stuff that's not newly defined for rx).
+ # Really the xdr stuff should be in its own directory.
+ #
+-XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
++XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
+ 
+ RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \
+       rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o  rx_trace.o rx_conncache.o \
+===================================================================
+RCS file: /cvs/openafs/src/rx/xdr.c,v
+retrieving revision 1.4
+retrieving revision 1.5
+diff -u -r1.4 -r1.5
+--- openafs/src/rx/xdr.c       2002/06/08 04:43:38     1.4
++++ openafs/src/rx/xdr.c       2002/07/31 23:13:09     1.5
+@@ -558,6 +558,8 @@
+       u_int size;
+       u_int nodesize;
+ 
++        if (maxsize > ((~0) >> 1) - 1) maxsize = ((~0) >> 1) - 1;
++
+       /*
+        * first deal with the length since xdr strings are counted-strings
+        */
+===================================================================
+RCS file: /cvs/openafs/src/rx/xdr_array.c,v
+retrieving revision 1.4
+retrieving revision 1.5
+diff -u -r1.4 -r1.5
+--- openafs/src/rx/xdr_array.c 2001/08/08 00:03:57     1.4
++++ openafs/src/rx/xdr_array.c 2002/07/31 23:13:09     1.5
+@@ -84,7 +84,10 @@
+       register caddr_t target = *addrp;
+       register u_int c;  /* the actual element count */
+       register bool_t stat = TRUE;
+-      register int nodesize;
++      register u_int nodesize;
++
++        i = ((~0) >> 1) / elsize;
++        if (maxsize > i) maxsize = i;
+ 
+       /* like strings, arrays are really counted arrays */
+       if (! xdr_u_int(xdrs, sizep)) {
+===================================================================
+RCS file: /cvs/openafs/src/rx/xdr_arrayn.c,v
+retrieving revision 1.4
+retrieving revision 1.5
+diff -u -r1.4 -r1.5
+--- openafs/src/rx/xdr_arrayn.c        2001/08/08 00:03:57     1.4
++++ openafs/src/rx/xdr_arrayn.c        2002/07/31 23:13:09     1.5
+@@ -89,7 +89,10 @@
+       register caddr_t target = *addrp;
+       register u_int c;  /* the actual element count */
+       register bool_t stat = TRUE;
+-      register int nodesize;
++      register u_int nodesize;
++
++        i = ((~0) >> 1) / elsize;
++        if (maxsize > i) maxsize = i;
+ 
+       /* like strings, arrays are really counted arrays */
+       if (! xdr_u_int(xdrs, sizep)) {

diff --git a/src/rx/Makefile.in b/src/rx/Makefile.in
index 9fd3e7214da5f9d9043662b1cbbf003575c49d7f..bd2cac240afb123aba9143fc1d52d6e54d3ed0f5 100644 (file)
--- a/src/rx/Makefile.in
+++ b/src/rx/Makefile.in
@@ -38,7 +38,7 @@ CFLAGS=${OPTMZ} -I${TOP_SRCDIR}/config -I${TOP_INCDIR} -DRXDEBUG ${XCFLAGS}
 # Generic xdr objects (or, at least, xdr stuff that's not newly defined for rx).
 # Really the xdr stuff should be in its own directory.
 #
-XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
+XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
 
 RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \
        rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o  rx_trace.o rx_conncache.o \

diff --git a/src/rx/xdr.c b/src/rx/xdr.c
index fc7a53b8a5e2b1c7c7ad60ab22a1332786cb7e78..8775d4e05df2e4f50d13abb3b3cea8081bc50021 100644 (file)
--- a/src/rx/xdr.c
+++ b/src/rx/xdr.c
@@ -34,7 +34,7 @@
 #include <afs/param.h>
 #endif
 
-RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr.c,v 1.1.1.3 2001/07/14 22:23:36 hartmans Exp $");
+RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr.c,v 1.1.1.3.2.1 2002/08/03 21:33:30 hartmans Exp $");
 
 /*
  * xdr.c, Generic XDR routines implementation.
@@ -556,6 +556,8 @@ xdr_string(xdrs, cpp, maxsize)
        u_int size;
        u_int nodesize;
 
+        if (maxsize > ((~0) >> 1) - 1) maxsize = ((~0) >> 1) - 1;
+
        /*
         * first deal with the length since xdr strings are counted-strings
         */

diff --git a/src/rx/xdr_array.c b/src/rx/xdr_array.c
index f4f9a52308916bb74683ffb4cd0d593cae658e67..38f17307db0e763909b22802663baa81338a16d4 100644 (file)
--- a/src/rx/xdr_array.c
+++ b/src/rx/xdr_array.c
@@ -29,7 +29,7 @@
 #include <afsconfig.h>
 #include <afs/param.h>
 
-RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr_array.c,v 1.1.1.4 2001/09/11 14:34:26 hartmans Exp $");
+RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr_array.c,v 1.1.1.4.2.1 2002/08/03 21:33:30 hartmans Exp $");
 
 #ifndef        NeXT
 
@@ -84,7 +84,10 @@ xdr_array(xdrs, addrp, sizep, maxsize, elsize, elproc)
        register caddr_t target = *addrp;
        register u_int c;  /* the actual element count */
        register bool_t stat = TRUE;
-       register int nodesize;
+       register u_int nodesize;
+
+        i = ((~0) >> 1) / elsize;
+        if (maxsize > i) maxsize = i;
 
        /* like strings, arrays are really counted arrays */
        if (! xdr_u_int(xdrs, sizep)) {

diff --git a/src/rx/xdr_arrayn.c b/src/rx/xdr_arrayn.c
index 67ae0db5dc8e6a2ab741c17582ac0612d33183b5..1c38d49fe70fe361e3d2d42b141b754568e0adfe 100644 (file)
--- a/src/rx/xdr_arrayn.c
+++ b/src/rx/xdr_arrayn.c
@@ -29,7 +29,7 @@
 #include <afsconfig.h>
 #include <afs/param.h>
 
-RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr_arrayn.c,v 1.1.1.4 2001/09/11 14:34:26 hartmans Exp $");
+RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr_arrayn.c,v 1.1.1.4.2.1 2002/08/03 21:33:30 hartmans Exp $");
 
 #if !defined(NeXT)
 
@@ -89,7 +89,10 @@ bool_t xdr_arrayN(xdrs, addrp, sizep, maxsize, elsize, elproc)
        register caddr_t target = *addrp;
        register u_int c;  /* the actual element count */
        register bool_t stat = TRUE;
-       register int nodesize;
+       register u_int nodesize;
+
+        i = ((~0) >> 1) / elsize;
+        if (maxsize > i) maxsize = i;
 
        /* like strings, arrays are really counted arrays */
        if (! xdr_u_int(xdrs, sizep)) {