diff options
author | Damien Miller <djm@mindrot.org> | 2011-08-06 06:16:46 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2011-08-06 06:16:46 +1000 |
commit | adb467fb692600c569d8129dfd96371b481d2653 (patch) | |
tree | 50728a7b11d956711f722b62f378a4905d0f5229 | |
parent | 35e48198a80aba7361bce8dde4fba464800e3ff6 (diff) |
- markus@cvs.openbsd.org 2011/08/01 19:18:15
[gss-serv.c]
prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
report Adam Zabrock; ok djm@, deraadt@
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | gss-serv.c | 4 |
2 files changed, 7 insertions, 1 deletions
@@ -13,6 +13,10 @@ | |||
13 | fail open(2) with EPERM rather than SIGKILLing the whole process. libc | 13 | fail open(2) with EPERM rather than SIGKILLing the whole process. libc |
14 | will call open() to do strerror() when NLS is enabled; | 14 | will call open() to do strerror() when NLS is enabled; |
15 | feedback and ok markus@ | 15 | feedback and ok markus@ |
16 | - markus@cvs.openbsd.org 2011/08/01 19:18:15 | ||
17 | [gss-serv.c] | ||
18 | prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); | ||
19 | report Adam Zabrock; ok djm@, deraadt@ | ||
16 | 20 | ||
17 | 20110624 | 21 | 20110624 |
18 | - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for | 22 | - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for |
diff --git a/gss-serv.c b/gss-serv.c index 2ec7ea19c..c719c1306 100644 --- a/gss-serv.c +++ b/gss-serv.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ | 1 | /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -229,6 +229,8 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) | |||
229 | name->length = get_u32(tok+offset); | 229 | name->length = get_u32(tok+offset); |
230 | offset += 4; | 230 | offset += 4; |
231 | 231 | ||
232 | if (UINT_MAX - offset < name->length) | ||
233 | return GSS_S_FAILURE; | ||
232 | if (ename->length < offset+name->length) | 234 | if (ename->length < offset+name->length) |
233 | return GSS_S_FAILURE; | 235 | return GSS_S_FAILURE; |
234 | 236 | ||