From nalin@blade.devel.redhat.com Wed Oct 9 16:23:04 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP id QAA24755; Wed, 9 Oct 2002 16:23:04 -0400 (EDT) Received: from blade.devel.redhat.com (nat-pool-rdu.redhat.com [66.187.233.200]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA28578 for ; Wed, 9 Oct 2002 16:23:03 -0400 (EDT) Received: from blade.devel.redhat.com (localhost.localdomain [127.0.0.1]) by blade.devel.redhat.com (8.12.5/8.12.5) with ESMTP id g99KN9TG027961 for ; Wed, 9 Oct 2002 16:23:09 -0400 Received: (from nalin@localhost) by blade.devel.redhat.com (8.12.5/8.12.5/Submit) id g99KN9ap027959; Wed, 9 Oct 2002 16:23:09 -0400 Date: Wed, 9 Oct 2002 16:23:09 -0400 Message-Id: <200210092023.g99KN9ap027959@blade.devel.redhat.com> To: krb5-bugs@mit.edu From: nalin@redhat.com Reply-To: nalin@redhat.com X-send-pr-version: 3.99 >Submitter-Id: net >Originator: Nalin Dahyabhai >Confidential: no >Synopsis: >Severity: non-critical >Priority: low >Category: krb5-libs >Class: sw-bug >Release: krb5-1.2.6 System: Linux 2.4.18 Architecture: i686 glibc 2.2.x/2.3 >Description: The res_search() function is allowed to return a result size which is larger than the size of the buffer which is passed in by the calling application (in this case, libkrb5) if the response has to be truncated to fit into the buffer. libkrb5 does not check for this. >How-To-Repeat: Configure a Kerberos client to use DNS to retrieve server information for the local realm, and populate DNS with a large, unique RRs for the queries libkrb5 will make. >Fix: A longer patch could retry a truncated request with a larger buffer, but the simplest thing is to fail for too-large responses, which is what should happen anyway if the library attempts to read past the end of its buffer. This patch hasn't been thorougly tested, but it looks correct: --- src/lib/krb5/os/hst_realm.c 2002-10-09 14:03:04.000000000 -0400 +++ src/lib/krb5/os/hst_realm.c 2002-10-09 14:12:43.000000000 -0400 @@ -141,7 +141,7 @@ } size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes)); - if (size < 0) + if ((size < sizeof(HEADER)) || (size > sizeof(answer.bytes)) return KRB5_ERR_HOST_REALM_UNKNOWN; p = answer.bytes; --- src/lib/krb5/os/locate_kdc.c 2002-10-09 14:15:57.000000000 -0400 +++ src/lib/krb5/os/locate_kdc.c 2002-10-09 14:59:26.000000000 -0400 @@ -391,7 +391,7 @@ size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes)); - if (size < hdrsize) + if ((size < hdrsize) || (size > sizeof(answer.bytes)) goto out; /* @@ -463,6 +463,8 @@ CHECK(p,2); rdlen = NTOHSP(p,2); + CHECK(p,rdlen); + /* * If this is an SRV record, process it. Record format is: *