Skip Menu |
 

Download (untitled) / with headers
text/plain 2.8KiB
From nalin@blade.devel.redhat.com Wed Oct 9 16:23:04 2002
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP
id QAA24755; Wed, 9 Oct 2002 16:23:04 -0400 (EDT)
Received: from blade.devel.redhat.com (nat-pool-rdu.redhat.com [66.187.233.200])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA28578
for <krb5-bugs@mit.edu>; Wed, 9 Oct 2002 16:23:03 -0400 (EDT)
Received: from blade.devel.redhat.com (localhost.localdomain [127.0.0.1])
by blade.devel.redhat.com (8.12.5/8.12.5) with ESMTP id g99KN9TG027961
for <krb5-bugs@mit.edu>; Wed, 9 Oct 2002 16:23:09 -0400
Received: (from nalin@localhost)
by blade.devel.redhat.com (8.12.5/8.12.5/Submit) id g99KN9ap027959;
Wed, 9 Oct 2002 16:23:09 -0400
Date: Wed, 9 Oct 2002 16:23:09 -0400
Message-Id: <200210092023.g99KN9ap027959@blade.devel.redhat.com>
To: krb5-bugs@mit.edu
From: nalin@redhat.com
Reply-To: nalin@redhat.com
X-send-pr-version: 3.99
Show quoted text
>Submitter-Id: net
>Originator: Nalin Dahyabhai
>Confidential: no
>Synopsis:
>Severity: non-critical
>Priority: low
>Category: krb5-libs
>Class: sw-bug
>Release: krb5-1.2.6
System: Linux 2.4.18
Architecture: i686

glibc 2.2.x/2.3

Show quoted text
>Description:
The res_search() function is allowed to return a result size
which is larger than the size of the buffer which is passed in
by the calling application (in this case, libkrb5) if the response
has to be truncated to fit into the buffer. libkrb5 does not
check for this.
Show quoted text
>How-To-Repeat:
Configure a Kerberos client to use DNS to retrieve server
information for the local realm, and populate DNS with a large,
unique RRs for the queries libkrb5 will make.
Show quoted text
>Fix:
A longer patch could retry a truncated request with a larger
buffer, but the simplest thing is to fail for too-large responses,
which is what should happen anyway if the library attempts to read
past the end of its buffer. This patch hasn't been thorougly
tested, but it looks correct:

--- src/lib/krb5/os/hst_realm.c 2002-10-09 14:03:04.000000000 -0400
+++ src/lib/krb5/os/hst_realm.c 2002-10-09 14:12:43.000000000 -0400
@@ -141,7 +141,7 @@
}
size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes));

- if (size < 0)
+ if ((size < sizeof(HEADER)) || (size > sizeof(answer.bytes))
return KRB5_ERR_HOST_REALM_UNKNOWN;

p = answer.bytes;
--- src/lib/krb5/os/locate_kdc.c 2002-10-09 14:15:57.000000000 -0400
+++ src/lib/krb5/os/locate_kdc.c 2002-10-09 14:59:26.000000000 -0400
@@ -391,7 +391,7 @@

size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));

- if (size < hdrsize)
+ if ((size < hdrsize) || (size > sizeof(answer.bytes))
goto out;

/*
@@ -463,6 +463,8 @@
CHECK(p,2);
rdlen = NTOHSP(p,2);

+ CHECK(p,rdlen);
+
/*
* If this is an SRV record, process it. Record format is:
*
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #1216]
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 10 Oct 2002 19:27:17 -0400
RT-Send-Cc:
Thanks for the patch...

Show quoted text
>>>>> "nalin" == The RT System itself via RT <rt-comment@krbdev.mit.edu> writes:
Show quoted text
nalin> --- src/lib/krb5/os/locate_kdc.c 2002-10-09 14:15:57.000000000 -0400
nalin> +++ src/lib/krb5/os/locate_kdc.c 2002-10-09 14:59:26.000000000 -0400
nalin> @@ -391,7 +391,7 @@

Show quoted text
nalin> size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));

Show quoted text
nalin> - if (size < hdrsize)
nalin> + if ((size < hdrsize) || (size > sizeof(answer.bytes))
nalin> goto out;

Show quoted text
nalin> /*
nalin> @@ -463,6 +463,8 @@
nalin> CHECK(p,2);
nalin> rdlen = NTOHSP(p,2);

Show quoted text
nalin> + CHECK(p,rdlen);
nalin> +

Could you please explain why this check for rdlen was added? It seems
redundant.

---Tom
Date: Fri, 11 Oct 2002 15:17:26 -0400
From: Nalin Dahyabhai <nalin@redhat.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #1216]
RT-Send-Cc:
On Thu, Oct 10, 2002 at 07:27:21PM -0400, Tom Yu via RT wrote:
Show quoted text
> Thanks for the patch...
[snip]
Show quoted text
> nalin> @@ -463,6 +463,8 @@
> nalin> CHECK(p,2);
> nalin> rdlen = NTOHSP(p,2);
>
> nalin> + CHECK(p,rdlen);
> nalin> +
>
> Could you please explain why this check for rdlen was added? It seems
> redundant.

Oh, you're right. I was trying to guard against missing data for other
RR types, but there's an else block around line 520 that already does
the job.

Thanks,

Nalin
From: tlyu@mit.edu
Subject: CVS Commit
Thanks, (corrected) patch applied.

* hst_realm.c (krb5_try_realm_txt_rr): Apply patch from Nalin
Dahyabhai to bounds-check return value from res_search().

* locate_kdc.c (krb5_locate_srv_dns_1): Apply patch from Nalin
Dahyabhai to bounds-check return value from res_search().


To generate a diff of this commit:



cvs diff -r5.329 -r5.330 krb5/src/lib/krb5/os/ChangeLog
cvs diff -r5.51 -r5.52 krb5/src/lib/krb5/os/hst_realm.c
cvs diff -r5.71 -r5.72 krb5/src/lib/krb5/os/locate_kdc.c
From: tlyu@mit.edu
Subject: CVS Commit
pull up Nalin's patch to check res_search() return value


To generate a diff of this commit:



cvs diff -r5.221.2.25.2.9 -r5.221.2.25.2.10
krb5/src/lib/krb5/os/ChangeLog
cvs diff -r5.36.2.3 -r5.36.2.3.2.1 krb5/src/lib/krb5/os/hst_realm.c
cvs diff -r5.40.2.4 -r5.40.2.4.2.1
krb5/src/lib/krb5/os/locate_kdc.c