OpenAFS-SA-2013-0002: Buffer overflow in OpenAFS ptserver

The ptserver accepts a list of unbounded size from the IdToName RPC. The
length of this list is then used to determine the size of a number of other
internal datastructures. If the length is sufficiently large then we may
hit an integer overflow when calculating the size to pass to malloc, and
allocate data structures of insufficient length, allowing heap memory to
be overwritten.

diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c
index c56d670a8481f2fe8bf0aa7ac0cc90671bb070d8..239752ac959851cd68d55677efa8543c0626cab5 100644 (file)
--- a/src/ptserver/ptprocs.c
+++ b/src/ptserver/ptprocs.c
@@ -691,7 +691,7 @@ idToName(call, aid, aname)
     size = aid->idlist_len;
     if (size == 0)
        return 0;
-    if (size < 0)
+    if (size < 0 || size > INT_MAX / PR_MAXNAMELEN)
        return PRTOOMANY;
     aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN);
     aname->namelist_len = 0;