Skip Menu |
 

To: krb5-bugs@MIT.EDU
Subject: integer overflow in svcauth_gss_get_principal() [CVE-2007-5902]
From: Tom Yu <tlyu@MIT.EDU>
Date: Wed, 12 Dec 2007 13:39:34 -0500
Download (untitled) / with headers
text/plain 1.8KiB
This is one of the Venustech AD-LAB alleged vulnerabilities.

CVE-2007-5902
http://bugs.gentoo.org/show_bug.cgi?id=199214

This bug consists of an integer overflow in
svcauth_gss_get_principal() in src/lib/rpc/svc_auth_gss.c, which can
cause an invocation of memcpy() to overflow a zero-length allocated
buffer. This is not a practical vulnerability due to the
nigh-impossibility of producing the conditions required to trigger the
bug.

641 svcauth_gss_get_principal(SVCAUTH *auth)
642 {
643 struct svc_rpc_gss_data *gd;
644 char *pname;
645
646 gd = SVCAUTH_PRIVATE(auth);
647
648 if (gd->cname.length == 0)
649 return (NULL);
650
651 if ((pname = malloc(gd->cname.length + 1)) == NULL)
652 return (NULL);
653
654 memcpy(pname, gd->cname.value, gd->cname.length);
655 pname[gd->cname.length] = '\0';
656
657 return (pname);
658 }

If "gd->cname.length" is exactly SIZE_MAX, then the call to malloc()
will have an argument of zero due to the modular arithmetic used on
unsigned integer types in C. If malloc(0) returns a non-null pointer
on a specific platform, then the subsequent memcpy() call can attempt
to copy SIZE_MAX bytes and overflow the zero-length buffer.

The value "gd->cname" results from calling krb5_unparse_name() with a
principal obtained during authentication. To successfully exploit
this vulnerability, an attacker would need to successfully
authenticate using a principal name whose unparsed string
representation is exactly SIZE_MAX+1 bytes long. Such a principal
name is very unlikely to exist, and even if such an unusual principal
did exist, the C implementation would have to successfully allocate a
buffer SIZE_MAX+1 bytes long, which almost certainly will not succeed.
From: tlyu@mit.edu
Subject: SVN Commit

fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal()

Commit By: tlyu



Revision: 20181
Changed Files:
_U trunk/
U trunk/src/lib/rpc/svc_auth_gss.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r20181 from trunk

r20181@cathode-dark-space: tlyu | 2007-12-14 00:01:23 -0500
ticket: 5855
target_version: 1.6.4
tags: pullup

fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal()



Commit By: tlyu



Revision: 20185
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/rpc/svc_auth_gss.c