Ticket History #6444: CVE-2009-0847 asn1buf_imbed incorrect length validation

asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer. This can
lead to malloc() failure or crash.

In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound. In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.

https://github.com/krb5/krb5/commit/9024676102cbd24d08f41fa3de7761d64f13db4d
Commit By: tlyu
Revision: 22175
Changed Files:
U trunk/src/lib/krb5/asn.1/asn1buf.c

pull up r22175 from trunk

------------------------------------------------------------------------
r22175 | tlyu | 2009-04-07 17:22:20 -0400 (Tue, 07 Apr 2009) | 14 lines
Changed paths:
M /trunk/src/lib/krb5/asn.1/asn1buf.c

ticket: 6444
subject: CVE-2009-0847 asn1buf_imbed incorrect length validation
tags: pullup
target_version: 1.7

asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer. This can
lead to malloc() failure or crash.

In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound. In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.

https://github.com/krb5/krb5/commit/20e2c2c5443fcb7ad2711e71ed10af9bb9840fbe
Commit By: tlyu
Revision: 22249
Changed Files:
U branches/krb5-1-7/src/lib/krb5/asn.1/asn1buf.c