From nalin@blade.devel.redhat.com Wed Oct 9 16:23:04 2002
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP
id QAA24755; Wed, 9 Oct 2002 16:23:04 -0400 (EDT)
Received: from blade.devel.redhat.com (nat-pool-rdu.redhat.com [66.187.233.200])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA28578
for <krb5-bugs@mit.edu>; Wed, 9 Oct 2002 16:23:03 -0400 (EDT)
Received: from blade.devel.redhat.com (localhost.localdomain [127.0.0.1])
by blade.devel.redhat.com (8.12.5/8.12.5) with ESMTP id g99KN9TG027961
for <krb5-bugs@mit.edu>; Wed, 9 Oct 2002 16:23:09 -0400
Received: (from nalin@localhost)
by blade.devel.redhat.com (8.12.5/8.12.5/Submit) id g99KN9ap027959;
Wed, 9 Oct 2002 16:23:09 -0400
Date: Wed, 9 Oct 2002 16:23:09 -0400
Message-Id: <200210092023.g99KN9ap027959@blade.devel.redhat.com>
To: krb5-bugs@mit.edu
From: nalin@redhat.com
Reply-To: nalin@redhat.com
X-send-pr-version: 3.99
Architecture: i686
glibc 2.2.x/2.3
which is larger than the size of the buffer which is passed in
by the calling application (in this case, libkrb5) if the response
has to be truncated to fit into the buffer. libkrb5 does not
check for this.
information for the local realm, and populate DNS with a large,
unique RRs for the queries libkrb5 will make.
buffer, but the simplest thing is to fail for too-large responses,
which is what should happen anyway if the library attempts to read
past the end of its buffer. This patch hasn't been thorougly
tested, but it looks correct:
--- src/lib/krb5/os/hst_realm.c 2002-10-09 14:03:04.000000000 -0400
+++ src/lib/krb5/os/hst_realm.c 2002-10-09 14:12:43.000000000 -0400
@@ -141,7 +141,7 @@
}
size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes));
- if (size < 0)
+ if ((size < sizeof(HEADER)) || (size > sizeof(answer.bytes))
return KRB5_ERR_HOST_REALM_UNKNOWN;
p = answer.bytes;
--- src/lib/krb5/os/locate_kdc.c 2002-10-09 14:15:57.000000000 -0400
+++ src/lib/krb5/os/locate_kdc.c 2002-10-09 14:59:26.000000000 -0400
@@ -391,7 +391,7 @@
size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
- if (size < hdrsize)
+ if ((size < hdrsize) || (size > sizeof(answer.bytes))
goto out;
/*
@@ -463,6 +463,8 @@
CHECK(p,2);
rdlen = NTOHSP(p,2);
+ CHECK(p,rdlen);
+
/*
* If this is an SRV record, process it. Record format is:
*
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP
id QAA24755; Wed, 9 Oct 2002 16:23:04 -0400 (EDT)
Received: from blade.devel.redhat.com (nat-pool-rdu.redhat.com [66.187.233.200])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA28578
for <krb5-bugs@mit.edu>; Wed, 9 Oct 2002 16:23:03 -0400 (EDT)
Received: from blade.devel.redhat.com (localhost.localdomain [127.0.0.1])
by blade.devel.redhat.com (8.12.5/8.12.5) with ESMTP id g99KN9TG027961
for <krb5-bugs@mit.edu>; Wed, 9 Oct 2002 16:23:09 -0400
Received: (from nalin@localhost)
by blade.devel.redhat.com (8.12.5/8.12.5/Submit) id g99KN9ap027959;
Wed, 9 Oct 2002 16:23:09 -0400
Date: Wed, 9 Oct 2002 16:23:09 -0400
Message-Id: <200210092023.g99KN9ap027959@blade.devel.redhat.com>
To: krb5-bugs@mit.edu
From: nalin@redhat.com
Reply-To: nalin@redhat.com
X-send-pr-version: 3.99
Show quoted text
>Submitter-Id: net
>Originator: Nalin Dahyabhai
>Confidential: no
>Synopsis:
>Severity: non-critical
>Priority: low
>Category: krb5-libs
>Class: sw-bug
>Release: krb5-1.2.6
System: Linux 2.4.18>Originator: Nalin Dahyabhai
>Confidential: no
>Synopsis:
>Severity: non-critical
>Priority: low
>Category: krb5-libs
>Class: sw-bug
>Release: krb5-1.2.6
Architecture: i686
glibc 2.2.x/2.3
Show quoted text
>Description:
The res_search() function is allowed to return a result sizewhich is larger than the size of the buffer which is passed in
by the calling application (in this case, libkrb5) if the response
has to be truncated to fit into the buffer. libkrb5 does not
check for this.
Show quoted text
>How-To-Repeat:
Configure a Kerberos client to use DNS to retrieve serverinformation for the local realm, and populate DNS with a large,
unique RRs for the queries libkrb5 will make.
Show quoted text
>Fix:
A longer patch could retry a truncated request with a largerbuffer, but the simplest thing is to fail for too-large responses,
which is what should happen anyway if the library attempts to read
past the end of its buffer. This patch hasn't been thorougly
tested, but it looks correct:
--- src/lib/krb5/os/hst_realm.c 2002-10-09 14:03:04.000000000 -0400
+++ src/lib/krb5/os/hst_realm.c 2002-10-09 14:12:43.000000000 -0400
@@ -141,7 +141,7 @@
}
size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes));
- if (size < 0)
+ if ((size < sizeof(HEADER)) || (size > sizeof(answer.bytes))
return KRB5_ERR_HOST_REALM_UNKNOWN;
p = answer.bytes;
--- src/lib/krb5/os/locate_kdc.c 2002-10-09 14:15:57.000000000 -0400
+++ src/lib/krb5/os/locate_kdc.c 2002-10-09 14:59:26.000000000 -0400
@@ -391,7 +391,7 @@
size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
- if (size < hdrsize)
+ if ((size < hdrsize) || (size > sizeof(answer.bytes))
goto out;
/*
@@ -463,6 +463,8 @@
CHECK(p,2);
rdlen = NTOHSP(p,2);
+ CHECK(p,rdlen);
+
/*
* If this is an SRV record, process it. Record format is:
*