ticket: 6559

version_fixed: 1.7.1 status: resolved pull up r22732 from trunk ------------------------------------------------------------------------ r22732 | ghudson | 2009-09-11 13:30:51 -0400 (Fri, 11 Sep 2009) | 7 lines ticket: 6559 subject: Fix parsing of GSS exported names tags: pullup target_version: 1.7.1 Cherry-picked from Luke's authdata branch. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23636 dc483132-0cff-0310-8789-dd5450dbe970
aadamowski · Jan 12, 2010 · c54b3bc · c54b3bc
1 parent 335ed02
commit c54b3bc
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
@@ -56,7 +56,8 @@ krb5_gss_import_name(minor_status, input_name_buffer,
     krb5_context context;
     krb5_principal princ;
     krb5_error_code code;
-    char *stringrep, *tmp, *tmp2, *cp;
+    unsigned char *cp, *end;
+    char *stringrep, *tmp, *tmp2;
     OM_uint32    length;
 #ifndef NO_PASSWORD
     struct passwd *pw;
@@ -155,36 +156,49 @@ krb5_gss_import_name(minor_status, input_name_buffer,
             goto do_getpwuid;
 #endif
         } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
-            cp = tmp;
+#define BOUNDS_CHECK(cp, end, n) do { if ((end) - (cp) < (n)) \
+                    goto fail_name; } while (0)
+            cp = (unsigned char *)tmp;
+            end = cp + input_name_buffer->length;
+
+            BOUNDS_CHECK(cp, end, 4);
             if (*cp++ != 0x04)
                 goto fail_name;
             if (*cp++ != 0x01)
                 goto fail_name;
             if (*cp++ != 0x00)
                 goto fail_name;
             length = *cp++;
-            if (length != gss_mech_krb5->length+2)
+            if (length != (ssize_t)gss_mech_krb5->length+2)
                 goto fail_name;
+
+            BOUNDS_CHECK(cp, end, 2);
             if (*cp++ != 0x06)
                 goto fail_name;
             length = *cp++;
             if (length != gss_mech_krb5->length)
                 goto fail_name;
+
+            BOUNDS_CHECK(cp, end, length);
             if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
                 goto fail_name;
             cp += length;
+
+            BOUNDS_CHECK(cp, end, 4);
             length = *cp++;
             length = (length << 8) | *cp++;
             length = (length << 8) | *cp++;
             length = (length << 8) | *cp++;
+
+            BOUNDS_CHECK(cp, end, length);
             tmp2 = malloc(length+1);
             if (tmp2 == NULL) {
                 xfree(tmp);
                 *minor_status = ENOMEM;
                 krb5_free_context(context);
                 return GSS_S_FAILURE;
             }
-            strncpy(tmp2, cp, length);
+            strncpy(tmp2, (char *)cp, length);
             tmp2[length] = 0;
 
             stringrep = tmp2;