From ba1857a87fdabcce3c16ff912417083e5d9c27e0 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sun, 24 Feb 2013 14:58:11 -0800 Subject: [PATCH] OpenAFS-SA-2013-0002: Buffer overflow in OpenAFS ptserver The ptserver accepts a list of unbounded size from the IdToName RPC. The length of this list is then used to determine the size of a number of other internal datastructures. If the length is sufficiently large then we may hit an integer overflow when calculating the size to pass to malloc, and allocate data structures of insufficient length, allowing heap memory to be overwritten. --- src/ptserver/ptprocs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c index 471b56ed9..6194d2dc4 100644 --- a/src/ptserver/ptprocs.c +++ b/src/ptserver/ptprocs.c @@ -679,7 +679,7 @@ idToName(struct rx_call *call, idlist *aid, namelist *aname) size = aid->idlist_len; if (size == 0) return 0; - if (size < 0) + if (size < 0 || size > INT_MAX / PR_MAXNAMELEN) return PRTOOMANY; aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN); aname->namelist_len = 0; -- 2.39.5