From a6f166e7febf46e65b132ccbc0d9d6c1acac9783 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Sat, 3 Aug 2002 21:33:30 +0000 Subject: [PATCH] XDR security fix --- debian/changelog | 6 +++ debian/xdr-integer-overflow.patch | 70 +++++++++++++++++++++++++++++++ src/rx/Makefile.in | 2 +- src/rx/xdr.c | 4 +- src/rx/xdr_array.c | 7 +++- src/rx/xdr_arrayn.c | 7 +++- 6 files changed, 90 insertions(+), 6 deletions(-) create mode 100644 debian/xdr-integer-overflow.patch diff --git a/debian/changelog b/debian/changelog index 526d9cd1f..612ff8445 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +openafs (1.2.3final2-6) stable-security; urgency=high + + * Security problem: fix XDR buffer overflow based on upstream advisory. + + -- Sam Hartman Sat, 3 Aug 2002 17:29:30 -0400 + openafs (1.2.3final2-5) unstable; urgency=medium * Fix subarch handling, closes: #139662 diff --git a/debian/xdr-integer-overflow.patch b/debian/xdr-integer-overflow.patch new file mode 100644 index 000000000..cf1db0754 --- /dev/null +++ b/debian/xdr-integer-overflow.patch @@ -0,0 +1,70 @@ +=================================================================== +RCS file: /cvs/openafs/src/rx/Makefile.in,v +retrieving revision 1.4.2.1 +retrieving revision 1.4.2.2 +diff -u -r1.4.2.1 -r1.4.2.2 +--- openafs/src/rx/Makefile.in 2002/01/20 08:38:38 1.4.2.1 ++++ openafs/src/rx/Makefile.in 2002/08/02 02:45:14 1.4.2.2 +@@ -38,7 +38,7 @@ + # Generic xdr objects (or, at least, xdr stuff that's not newly defined for rx). + # Really the xdr stuff should be in its own directory. + # +-XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o ++XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o + + RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \ + rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o rx_trace.o rx_conncache.o \ +=================================================================== +RCS file: /cvs/openafs/src/rx/xdr.c,v +retrieving revision 1.4 +retrieving revision 1.5 +diff -u -r1.4 -r1.5 +--- openafs/src/rx/xdr.c 2002/06/08 04:43:38 1.4 ++++ openafs/src/rx/xdr.c 2002/07/31 23:13:09 1.5 +@@ -558,6 +558,8 @@ + u_int size; + u_int nodesize; + ++ if (maxsize > ((~0) >> 1) - 1) maxsize = ((~0) >> 1) - 1; ++ + /* + * first deal with the length since xdr strings are counted-strings + */ +=================================================================== +RCS file: /cvs/openafs/src/rx/xdr_array.c,v +retrieving revision 1.4 +retrieving revision 1.5 +diff -u -r1.4 -r1.5 +--- openafs/src/rx/xdr_array.c 2001/08/08 00:03:57 1.4 ++++ openafs/src/rx/xdr_array.c 2002/07/31 23:13:09 1.5 +@@ -84,7 +84,10 @@ + register caddr_t target = *addrp; + register u_int c; /* the actual element count */ + register bool_t stat = TRUE; +- register int nodesize; ++ register u_int nodesize; ++ ++ i = ((~0) >> 1) / elsize; ++ if (maxsize > i) maxsize = i; + + /* like strings, arrays are really counted arrays */ + if (! xdr_u_int(xdrs, sizep)) { +=================================================================== +RCS file: /cvs/openafs/src/rx/xdr_arrayn.c,v +retrieving revision 1.4 +retrieving revision 1.5 +diff -u -r1.4 -r1.5 +--- openafs/src/rx/xdr_arrayn.c 2001/08/08 00:03:57 1.4 ++++ openafs/src/rx/xdr_arrayn.c 2002/07/31 23:13:09 1.5 +@@ -89,7 +89,10 @@ + register caddr_t target = *addrp; + register u_int c; /* the actual element count */ + register bool_t stat = TRUE; +- register int nodesize; ++ register u_int nodesize; ++ ++ i = ((~0) >> 1) / elsize; ++ if (maxsize > i) maxsize = i; + + /* like strings, arrays are really counted arrays */ + if (! xdr_u_int(xdrs, sizep)) { diff --git a/src/rx/Makefile.in b/src/rx/Makefile.in index 9fd3e7214..bd2cac240 100644 --- a/src/rx/Makefile.in +++ b/src/rx/Makefile.in @@ -38,7 +38,7 @@ CFLAGS=${OPTMZ} -I${TOP_SRCDIR}/config -I${TOP_INCDIR} -DRXDEBUG ${XCFLAGS} # Generic xdr objects (or, at least, xdr stuff that's not newly defined for rx). # Really the xdr stuff should be in its own directory. # -XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o +XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \ rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o rx_trace.o rx_conncache.o \ diff --git a/src/rx/xdr.c b/src/rx/xdr.c index fc7a53b8a..8775d4e05 100644 --- a/src/rx/xdr.c +++ b/src/rx/xdr.c @@ -34,7 +34,7 @@ #include #endif -RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr.c,v 1.1.1.3 2001/07/14 22:23:36 hartmans Exp $"); +RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr.c,v 1.1.1.3.2.1 2002/08/03 21:33:30 hartmans Exp $"); /* * xdr.c, Generic XDR routines implementation. @@ -556,6 +556,8 @@ xdr_string(xdrs, cpp, maxsize) u_int size; u_int nodesize; + if (maxsize > ((~0) >> 1) - 1) maxsize = ((~0) >> 1) - 1; + /* * first deal with the length since xdr strings are counted-strings */ diff --git a/src/rx/xdr_array.c b/src/rx/xdr_array.c index f4f9a5230..38f17307d 100644 --- a/src/rx/xdr_array.c +++ b/src/rx/xdr_array.c @@ -29,7 +29,7 @@ #include #include -RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr_array.c,v 1.1.1.4 2001/09/11 14:34:26 hartmans Exp $"); +RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr_array.c,v 1.1.1.4.2.1 2002/08/03 21:33:30 hartmans Exp $"); #ifndef NeXT @@ -84,7 +84,10 @@ xdr_array(xdrs, addrp, sizep, maxsize, elsize, elproc) register caddr_t target = *addrp; register u_int c; /* the actual element count */ register bool_t stat = TRUE; - register int nodesize; + register u_int nodesize; + + i = ((~0) >> 1) / elsize; + if (maxsize > i) maxsize = i; /* like strings, arrays are really counted arrays */ if (! xdr_u_int(xdrs, sizep)) { diff --git a/src/rx/xdr_arrayn.c b/src/rx/xdr_arrayn.c index 67ae0db5d..1c38d49fe 100644 --- a/src/rx/xdr_arrayn.c +++ b/src/rx/xdr_arrayn.c @@ -29,7 +29,7 @@ #include #include -RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr_arrayn.c,v 1.1.1.4 2001/09/11 14:34:26 hartmans Exp $"); +RCSID("$Header: /tmp/cvstemp/openafs/src/rx/xdr_arrayn.c,v 1.1.1.4.2.1 2002/08/03 21:33:30 hartmans Exp $"); #if !defined(NeXT) @@ -89,7 +89,10 @@ bool_t xdr_arrayN(xdrs, addrp, sizep, maxsize, elsize, elproc) register caddr_t target = *addrp; register u_int c; /* the actual element count */ register bool_t stat = TRUE; - register int nodesize; + register u_int nodesize; + + i = ((~0) >> 1) / elsize; + if (maxsize > i) maxsize = i; /* like strings, arrays are really counted arrays */ if (! xdr_u_int(xdrs, sizep)) { -- 2.39.5