Skip Menu |
 

From: Nickolai Zeldovich <nickolai@csail.mit.edu>
Date: Sun, 9 Dec 2012 00:15:32 -0500
Subject: Various nits in krb5-1.10.3
To: krb5-bugs@MIT.EDU
Download (untitled) / with headers
text/plain 1.4KiB
src/plugins/preauth/pkinit/pkinit_clnt.c:1392 checks whether
out==NULL, but it's already known to be non-NULL at that point.
Perhaps it was meant to check out[i-1]==NULL?

src/lib/kdb/kdb_log.c:207 checks if cur_sno==ULONG_MAX to detect
overflow, but that's always false on a system with 64-bit long, since
cur_sno is kdb_sno_t==uint32_t.

src/lib/gssapi/spnego/spnego_mech.c:3979 tries to check whether
gssint_get_der_length returns a negative value, but the check is
always false because gssint_get_der_length's return value is assigned
to seqsize, an unsigned int. Similar problems show up at
src/lib/gssapi/spnego/spnego_mech.c:3996 and src/kdc/kdc_util.c:1121.

src/kdc/kdc_preauth.c:510 multiplies the number of enctypes it got
from a krb5_kdc_req by sizeof(krb5_keyblock), and allocates that much
memory, without checking for overflow. On a 32-bit machine,
sizeof(krb5_keyblock) is 4 times larger than the sizeof(krb5_enctype)
that the client has to send along with the request, so it seems
vaguely possible for a client to send 2^30 enctypes and get the server
to allocate 2^32=0 bytes of memory. I didn't check whether a client
can really send an as_req with 2^30 enctypes, but it may be worth
fixing just in case.

src/kadmin/dbutil/dump.c:1855 multiplies a value it read from the dump
file by sizeof(krb5_key_data), and allocates that much memory, without
checking for overflow. This doesn't seem like a particularly big
deal, since the dump file is likely trusted, though.

Nickolai.
The second problem (kdb_log.c) was already fixed on master in
e7aa25d215a9d4baa95643f2d19e44036e57af72.

The fourth problem (kdc_preauth.c) is not likely to be a practical issue
because we won't process a KDC request longer than 1MB. But I'll change
the code to use calloc() since it's simpler (and likewise for dump.c).
From: ghudson@mit.edu
Subject: SVN Commit

Fix various integer issues

In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.

Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.

https://github.com/krb5/krb5/commit/d3c5450ddf0b20855e86dab41735d56c6860156b
Author: Greg Hudson <ghudson@mit.edu>
Commit: d3c5450ddf0b20855e86dab41735d56c6860156b
Branch: master
src/kadmin/dbutil/dump.c | 3 +-
src/kdc/kdc_preauth.c | 3 +-
src/kdc/kdc_util.c | 3 +-
src/lib/gssapi/spnego/spnego_mech.c | 6 ++--
src/plugins/preauth/pkinit/pkinit_clnt.c | 43 ++++++++---------------------
5 files changed, 19 insertions(+), 39 deletions(-)
From: tlyu@mit.edu
Subject: SVN Commit

Fix various integer issues

In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow.

Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.

(cherry picked from commit d3c5450ddf0b20855e86dab41735d56c6860156b)

[tlyu@mit.edu: omitted pkinit fix because it's not conservative]

https://github.com/krb5/krb5/commit/760bcda6c627e66684b54285f744f5584b804642
Author: Tom Yu <tlyu@mit.edu>
Commit: 760bcda6c627e66684b54285f744f5584b804642
Branch: krb5-1.11
src/kadmin/dbutil/dump.c | 3 +--
src/kdc/kdc_preauth.c | 3 +--
src/kdc/kdc_util.c | 3 ++-
src/lib/gssapi/spnego/spnego_mech.c | 6 +++---
4 files changed, 7 insertions(+), 8 deletions(-)