Avoid buffer overruns by allocating buffer in svcauth_gss_validate()

Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
index 601a6916857e6347bd40db9873e5792b5aff80a5..26c1065951dd7f2f244e5b53125a31de675be127 100644 (file)
--- a/src/svc_auth_gss.c
+++ b/src/svc_auth_gss.c
@@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
        struct opaque_auth      *oa;
        gss_buffer_desc          rpcbuf, checksum;
        OM_uint32                maj_stat, min_stat, qop_state;
-       u_char                   rpchdr[128];
+       u_char                   *rpchdr;
        int32_t                 *buf;
 
        gss_log_debug("in svcauth_gss_validate()");
 
-       memset(rpchdr, 0, sizeof(rpchdr));
-
        /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
        oa = &msg->rm_call.cb_cred;
        if (oa->oa_length > MAX_AUTH_BYTES)
                return (FALSE);
-       
-       /* 8 XDR units from the IXDR macro calls. */
-       if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
-                       RNDUP(oa->oa_length)))
+
+       rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
+                       RNDUP(oa->oa_length)), 1);
+       if (rpchdr == NULL)
                return (FALSE);
 
        buf = (int32_t *)rpchdr;
@@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
        maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
                                  &qop_state);
 
+       free(rpchdr);
+
        if (maj_stat != GSS_S_COMPLETE) {
                gss_log_status("gss_verify_mic", maj_stat, min_stat);
                return (FALSE);