From: Russ Allbery <rra@debian.org>
Date: Sun, 24 Feb 2013 23:06:19 +0000 (-0800)
Subject: OpenAFS-SA-2013-0002: Buffer overflow in OpenAFS ptserver
X-Git-Tag: debian/1.4.12.1+dfsg-4+squeeze1~3
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=df9641f65d9b4ec349ce05e3f160a0e290650b35;p=packages%2Fo%2Fopenafs.git

OpenAFS-SA-2013-0002: Buffer overflow in OpenAFS ptserver

The ptserver accepts a list of unbounded size from the IdToName RPC. The
length of this list is then used to determine the size of a number of other
internal datastructures. If the length is sufficiently large then we may
hit an integer overflow when calculating the size to pass to malloc, and
allocate data structures of insufficient length, allowing heap memory to
be overwritten.
---

diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c
index c56d670a8..239752ac9 100644
--- a/src/ptserver/ptprocs.c
+++ b/src/ptserver/ptprocs.c
@@ -691,7 +691,7 @@ idToName(call, aid, aname)
     size = aid->idlist_len;
     if (size == 0)
 	return 0;
-    if (size < 0)
+    if (size < 0 || size > INT_MAX / PR_MAXNAMELEN)
 	return PRTOOMANY;
     aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN);
     aname->namelist_len = 0;