From: Steve Dickson <steved@redhat.com>
Date: Thu, 24 Jan 2008 20:01:22 +0000 (-0500)
Subject: Protect from buffer overflow in the GSS code.
X-Git-Tag: libtirpc-0_1_8~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3cf1a3ce1a409e647f9b8ca4497c26e6d066f293;p=libtirpc

Protect from buffer overflow in the GSS code.

Signed-off-by: Steve Dickson <steved@redhat.com>
---

diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
index 19c27d1..346e5b1 100644
--- a/src/svc_auth_gss.c
+++ b/src/svc_auth_gss.c
@@ -294,6 +294,15 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
 	memset(rpchdr, 0, sizeof(rpchdr));
 
 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+	oa = &msg->rm_call.cb_cred;
+	if (oa->oa_length > MAX_AUTH_BYTES)
+		return (FALSE);
+	
+	/* 8 XDR units from the IXDR macro calls. */
+	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+			RNDUP(oa->oa_length)))
+		return (FALSE);
+
 	buf = (int32_t *)rpchdr;
 	IXDR_PUT_LONG(buf, msg->rm_xid);
 	IXDR_PUT_ENUM(buf, msg->rm_direction);
@@ -301,7 +310,6 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
-	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
 	if (oa->oa_length) {