From: Russ Allbery <rra@debian.org>
Date: Sun, 24 Feb 2013 22:58:11 +0000 (-0800)
Subject: OpenAFS-SA-2013-0002: Buffer overflow in OpenAFS ptserver
X-Git-Tag: debian/1.6.1-3~3
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=ba1857a87fdabcce3c16ff912417083e5d9c27e0;p=packages%2Fo%2Fopenafs.git

OpenAFS-SA-2013-0002: Buffer overflow in OpenAFS ptserver

The ptserver accepts a list of unbounded size from the IdToName RPC. The
length of this list is then used to determine the size of a number of other
internal datastructures. If the length is sufficiently large then we may
hit an integer overflow when calculating the size to pass to malloc, and
allocate data structures of insufficient length, allowing heap memory to
be overwritten.
---

diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c
index 471b56ed9..6194d2dc4 100644
--- a/src/ptserver/ptprocs.c
+++ b/src/ptserver/ptprocs.c
@@ -679,7 +679,7 @@ idToName(struct rx_call *call, idlist *aid, namelist *aname)
     size = aid->idlist_len;
     if (size == 0)
 	return 0;
-    if (size < 0)
+    if (size < 0 || size > INT_MAX / PR_MAXNAMELEN)
 	return PRTOOMANY;
     aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN);
     aname->namelist_len = 0;