Protect from buffer overflow in the GSS code.

author Steve Dickson <steved@redhat.com>

Thu, 24 Jan 2008 20:01:22 +0000 (15:01 -0500)

committer Steve Dickson <steved@redhat.com>

Thu, 24 Jan 2008 20:01:22 +0000 (15:01 -0500)
author Steve Dickson <steved@redhat.com>
Thu, 24 Jan 2008 20:01:22 +0000 (15:01 -0500)
committer Steve Dickson <steved@redhat.com>
Thu, 24 Jan 2008 20:01:22 +0000 (15:01 -0500)
diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c

index 19c27d196a87b84686c74d3ede5e8f7fca1f76f8..346e5b1080e34366a6ebcb9877ca47b941e00117 100644 (file)
--- a/src/svc_auth_gss.c
+++ b/src/svc_auth_gss.c
@@ -294,6 +294,15 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
         memset(rpchdr, 0, sizeof(rpchdr));
  
         /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+       oa = &msg->rm_call.cb_cred;
+       if (oa->oa_length > MAX_AUTH_BYTES)
+               return (FALSE);
+       
+       /* 8 XDR units from the IXDR macro calls. */
+       if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+                       RNDUP(oa->oa_length)))
+               return (FALSE);
+
         buf = (int32_t *)rpchdr;
         IXDR_PUT_LONG(buf, msg->rm_xid);
         IXDR_PUT_ENUM(buf, msg->rm_direction);
@@ -301,7 +310,6 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
         IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
         IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
         IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
-       oa = &msg->rm_call.cb_cred;
         IXDR_PUT_ENUM(buf, oa->oa_flavor);
         IXDR_PUT_LONG(buf, oa->oa_length);
         if (oa->oa_length) {
author	Steve Dickson <steved@redhat.com>
	Thu, 24 Jan 2008 20:01:22 +0000 (15:01 -0500)
committer	Steve Dickson <steved@redhat.com>
	Thu, 24 Jan 2008 20:01:22 +0000 (15:01 -0500)