From fcusack@ratbert.iconnet.net Sat Jan 23 20:21:24 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA02675 for <bugs@RT-11.MIT.EDU>; Sat, 23 Jan 1999 20:21:23 -0500
Received: from ratbert.iconnet.net by MIT.EDU with SMTP
id AA17421; Sat, 23 Jan 99 20:21:37 EST
Received: (from fcusack@localhost)
by ratbert.iconnet.net (8.9.1/8.9.1) id UAA01659;
Sat, 23 Jan 1999 20:23:06 -0500 (EST)
Message-Id: <199901240123.UAA01659@ratbert.iconnet.net>
Date: Sat, 23 Jan 1999 20:23:06 -0500 (EST)
From: fcusack@iconnet.net
Reply-To: fcusack@iconnet.net
To: krb5-bugs@MIT.EDU
Cc: fcusack@iconnet.net
Subject: GSSAPI buf alloc problems in ftp/ftpd
X-Send-Pr-Version: 3.99
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
(or KRB4) data. The size of this buffer is kept in the
static variable `bufsize'. For KRB4, this var is set correctly,
and apparently that code was partially copied for GSSAPI.
In the GSSAPI section, bufsize is set larger (by FUDGE_FACTOR)
than the actual space allocated; this could cause memory
corruption if the next call to secure_putbuf() that needs
a larger buffer is larger by <= FUDGE_FACTOR.
===================================================================
RCS file: /icon/d04/src/3rd-party/krb5-19981012/src/appl/gssftp/ftp/secure.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 secure.c
--- secure.c 1998/10/14 00:47:31 1.1.1.1
+++ secure.c 1999/01/24 01:11:39
@@ -282,7 +282,7 @@
if (outbuf?
(outbuf = realloc(outbuf, (unsigned) out_buf.length)):
(outbuf = malloc((unsigned) out_buf.length))) {
- bufsize = nbyte + FUDGE_FACTOR;
+ bufsize = out_buf.length;
} else {
bufsize = 0;
secure_error("%s (in malloc of PROT buffer)",
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Thu Feb 25 23:08:52 1999
Responsible-Changed-Why:
refiled
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Thu Feb 25 23:12:22 1999
State-Changed-Why:
applied
From: Tom Yu <tlyu@MIT.EDU>
To: fcusack@iconnet.net
Cc: krb5-bugs@MIT.EDU, fcusack@iconnet.net
Subject: Re: krb5-appl/685: ftp/ftpd misallocates buffer space for GSSAPI
Date: Thu, 25 Feb 1999 23:12:12 -0500 (EST)
Thanks for the bug report; I'll be checking in your fix shortly. It's
an interim fix though, since FUDGE_FACTOR is actually a really awful
kludge, but fixing it for real would be quite painful.
---Tom
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA02675 for <bugs@RT-11.MIT.EDU>; Sat, 23 Jan 1999 20:21:23 -0500
Received: from ratbert.iconnet.net by MIT.EDU with SMTP
id AA17421; Sat, 23 Jan 99 20:21:37 EST
Received: (from fcusack@localhost)
by ratbert.iconnet.net (8.9.1/8.9.1) id UAA01659;
Sat, 23 Jan 1999 20:23:06 -0500 (EST)
Message-Id: <199901240123.UAA01659@ratbert.iconnet.net>
Date: Sat, 23 Jan 1999 20:23:06 -0500 (EST)
From: fcusack@iconnet.net
Reply-To: fcusack@iconnet.net
To: krb5-bugs@MIT.EDU
Cc: fcusack@iconnet.net
Subject: GSSAPI buf alloc problems in ftp/ftpd
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 685
>Category: krb5-appl
>Synopsis: ftp/ftpd misallocates buffer space for GSSAPI
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sat Jan 23 20:22:00 EST 1999
>Last-Modified: Thu Feb 25 23:15:01 EST 1999
>Originator: Frank Cusack
>Organization:
Qwest Comm.>Category: krb5-appl
>Synopsis: ftp/ftpd misallocates buffer space for GSSAPI
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sat Jan 23 20:22:00 EST 1999
>Last-Modified: Thu Feb 25 23:15:01 EST 1999
>Originator: Frank Cusack
>Organization:
Show quoted text
>Release: krb5-current-19981012
>Environment:
Unix>Environment:
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
Show quoted text
>Description:
secure.c, in secure_putbuf(), uses a static buffer for GSSAPI(or KRB4) data. The size of this buffer is kept in the
static variable `bufsize'. For KRB4, this var is set correctly,
and apparently that code was partially copied for GSSAPI.
In the GSSAPI section, bufsize is set larger (by FUDGE_FACTOR)
than the actual space allocated; this could cause memory
corruption if the next call to secure_putbuf() that needs
a larger buffer is larger by <= FUDGE_FACTOR.
Show quoted text
>How-To-Repeat:
>Fix:
Index: src/appl/gssftp/ftp/secure.c>Fix:
===================================================================
RCS file: /icon/d04/src/3rd-party/krb5-19981012/src/appl/gssftp/ftp/secure.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 secure.c
--- secure.c 1998/10/14 00:47:31 1.1.1.1
+++ secure.c 1999/01/24 01:11:39
@@ -282,7 +282,7 @@
if (outbuf?
(outbuf = realloc(outbuf, (unsigned) out_buf.length)):
(outbuf = malloc((unsigned) out_buf.length))) {
- bufsize = nbyte + FUDGE_FACTOR;
+ bufsize = out_buf.length;
} else {
bufsize = 0;
secure_error("%s (in malloc of PROT buffer)",
Show quoted text
>Audit-Trail:
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Thu Feb 25 23:08:52 1999
Responsible-Changed-Why:
refiled
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Thu Feb 25 23:12:22 1999
State-Changed-Why:
applied
From: Tom Yu <tlyu@MIT.EDU>
To: fcusack@iconnet.net
Cc: krb5-bugs@MIT.EDU, fcusack@iconnet.net
Subject: Re: krb5-appl/685: ftp/ftpd misallocates buffer space for GSSAPI
Date: Thu, 25 Feb 1999 23:12:12 -0500 (EST)
Thanks for the bug report; I'll be checking in your fix shortly. It's
an interim fix though, since FUDGE_FACTOR is actually a really awful
kludge, but fixing it for real would be quite painful.
---Tom
Show quoted text
>Unformatted: