OpenAFS-SA-2013-0002: Buffer overflow in OpenAFS ptserver

The ptserver accepts a list of unbounded size from the IdToName RPC. The
length of this list is then used to determine the size of a number of other
internal datastructures. If the length is sufficiently large then we may
hit an integer overflow when calculating the size to pass to malloc, and
allocate data structures of insufficient length, allowing heap memory to
be overwritten.

diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c
index 471b56ed92981b604301e229354ae8f683d581eb..6194d2dc485eee8b499d2b7478bdb92a6fd7e751 100644 (file)
--- a/src/ptserver/ptprocs.c
+++ b/src/ptserver/ptprocs.c
@@ -679,7 +679,7 @@ idToName(struct rx_call *call, idlist *aid, namelist *aname)
     size = aid->idlist_len;
     if (size == 0)
        return 0;
-    if (size < 0)
+    if (size < 0 || size > INT_MAX / PR_MAXNAMELEN)
        return PRTOOMANY;
     aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN);
     aname->namelist_len = 0;