Skip Menu |

Download (untitled) / with headers
text/plain 3.1KiB
From Sat Jan 23 20:21:24 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA02675 for <bugs@RT-11.MIT.EDU>; Sat, 23 Jan 1999 20:21:23 -0500
Received: from by MIT.EDU with SMTP
id AA17421; Sat, 23 Jan 99 20:21:37 EST
Received: (from fcusack@localhost)
by (8.9.1/8.9.1) id UAA01659;
Sat, 23 Jan 1999 20:23:06 -0500 (EST)
Message-Id: <>
Date: Sat, 23 Jan 1999 20:23:06 -0500 (EST)
To: krb5-bugs@MIT.EDU
Subject: GSSAPI buf alloc problems in ftp/ftpd
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 685
>Category: krb5-appl
>Synopsis: ftp/ftpd misallocates buffer space for GSSAPI
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sat Jan 23 20:22:00 EST 1999
>Last-Modified: Thu Feb 25 23:15:01 EST 1999
>Originator: Frank Cusack
Qwest Comm.
Show quoted text
>Release: krb5-current-19981012
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4

Show quoted text
secure.c, in secure_putbuf(), uses a static buffer for GSSAPI
(or KRB4) data. The size of this buffer is kept in the
static variable `bufsize'. For KRB4, this var is set correctly,
and apparently that code was partially copied for GSSAPI.

In the GSSAPI section, bufsize is set larger (by FUDGE_FACTOR)
than the actual space allocated; this could cause memory
corruption if the next call to secure_putbuf() that needs
a larger buffer is larger by <= FUDGE_FACTOR.
Show quoted text
Index: src/appl/gssftp/ftp/secure.c
RCS file: /icon/d04/src/3rd-party/krb5-19981012/src/appl/gssftp/ftp/secure.c,v
retrieving revision
diff -u -r1.1.1.1 secure.c
--- secure.c 1998/10/14 00:47:31
+++ secure.c 1999/01/24 01:11:39
@@ -282,7 +282,7 @@
if (outbuf?
(outbuf = realloc(outbuf, (unsigned) out_buf.length)):
(outbuf = malloc((unsigned) out_buf.length))) {
- bufsize = nbyte + FUDGE_FACTOR;
+ bufsize = out_buf.length;
} else {
bufsize = 0;
secure_error("%s (in malloc of PROT buffer)",
Show quoted text

Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Thu Feb 25 23:08:52 1999


State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Thu Feb 25 23:12:22 1999


From: Tom Yu <tlyu@MIT.EDU>
Cc: krb5-bugs@MIT.EDU,
Subject: Re: krb5-appl/685: ftp/ftpd misallocates buffer space for GSSAPI
Date: Thu, 25 Feb 1999 23:12:12 -0500 (EST)

Thanks for the bug report; I'll be checking in your fix shortly. It's
an interim fix though, since FUDGE_FACTOR is actually a really awful
kludge, but fixing it for real would be quite painful.

Show quoted text