From df9641f65d9b4ec349ce05e3f160a0e290650b35 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sun, 24 Feb 2013 15:06:19 -0800 Subject: [PATCH] OpenAFS-SA-2013-0002: Buffer overflow in OpenAFS ptserver The ptserver accepts a list of unbounded size from the IdToName RPC. The length of this list is then used to determine the size of a number of other internal datastructures. If the length is sufficiently large then we may hit an integer overflow when calculating the size to pass to malloc, and allocate data structures of insufficient length, allowing heap memory to be overwritten. --- src/ptserver/ptprocs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c index c56d670a8..239752ac9 100644 --- a/src/ptserver/ptprocs.c +++ b/src/ptserver/ptprocs.c @@ -691,7 +691,7 @@ idToName(call, aid, aname) size = aid->idlist_len; if (size == 0) return 0; - if (size < 0) + if (size < 0 || size > INT_MAX / PR_MAXNAMELEN) return PRTOOMANY; aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN); aname->namelist_len = 0; -- 2.39.5