From 1174e0a6adcc4cfe7719e7090d75b4eda855998d Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Sun, 4 May 2014 05:30:25 -0400 Subject: [PATCH] Fix buffer length validation in ktc_GetToken and knfs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The signed int tktLen is checked against a maximum size, then passed as the unsigned size_t argument to memcpy. So we need to make sure it isn’t negative. This doesn’t appear to be exploitable: tktLen comes from the kernel, which should have previously validated the length within the SETTOK pioctl. This bug was found with STACK . Signed-off-by: Anders Kaseorg Reviewed-on: http://gerrit.openafs.org/11109 Reviewed-by: Chas Williams - CONTRACTOR Tested-by: BuildBot Reviewed-by: Jeffrey Altman (cherry picked from commit 9c10c202f1f2e516dde8b70c3a3b69a73d163070) Change-Id: Id8dacdc00fd686d4f2ff234ffd6c8f5346d9e7b0 Reviewed-on: http://gerrit.openafs.org/11112 Reviewed-by: Perry Ruiter Reviewed-by: Chas Williams - CONTRACTOR Tested-by: BuildBot Reviewed-by: Anders Kaseorg Reviewed-by: Stephan Wiesand --- src/auth/ktc.c | 2 +- src/kauth/knfs.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/auth/ktc.c b/src/auth/ktc.c index ee89982cd..3c158204c 100644 --- a/src/auth/ktc.c +++ b/src/auth/ktc.c @@ -524,7 +524,7 @@ ktc_GetToken(struct ktc_principal *aserver, struct ktc_token *atoken, /* got token for cell; check that it will fit */ maxLen = atokenLen - sizeof(struct ktc_token) + MAXKTCTICKETLEN; - if (maxLen < tktLen) { + if (tktLen < 0 || tktLen > maxLen) { UNLOCK_GLOBAL_MUTEX; return KTC_TOOBIG; } diff --git a/src/kauth/knfs.c b/src/kauth/knfs.c index 245d8524a..a3b51b6db 100644 --- a/src/kauth/knfs.c +++ b/src/kauth/knfs.c @@ -170,7 +170,7 @@ GetTokens(afs_int32 ahost, afs_int32 auid) maxLen = sizeof(token) - sizeof(struct ktc_token) + MAXKTCTICKETLEN; - if (maxLen < tktLen) + if (tktLen < 0 || tktLen > maxLen) return KTC_TOOBIG; memcpy(token.ticket, stp, tktLen); token.startTime = ct.BeginTimestamp; -- 2.39.5