Skip Menu |
 

Subject: Potential integer overflows
Date: Tue, 27 Jul 2021 20:35:32 +0900
From: "Kihong Heo" <kihong.heo@gmail.com>
CC: "강우석" <kangwoosukeq@kaist.ac.kr>
To: krb5-bugs@mit.edu
Dear Kerberos developers,

It seems that there exist several potential integer overflows that can lead buffer overflows. Please find the following description:

In the latest version of Kerberos (1.19.2), 

1. src/kadmin/dbutil/dump.c:660: fscanf reads arbitrarily large integers into u1, u2, …

2. src/kadmin/dbutil/dump.c:671: Call to malloc with the large integer added by one can return a non-null yet invalid address according to the standard.

3. src/kadmin/dbutil/dump.c:685: Call to calloc with the large integer can cause a memory allocation with an overflowed integer 

Best,
Kihong


Subject: git commit
From: ghudson@mit.edu

Add more dump.c bounds checks

Although dump files are privileged inputs, the code to read them
should not admit integer overflows. Add bounds checks for several
fields which are used as allocation lengths or are assigned to
structure fields of smaller size and different signedness. Reported
by Sharwan Ram and Kihong Keo.

https://github.com/krb5/krb5/commit/d15930bec22781473c2eaf72c08a145508b373ba
Author: Greg Hudson <ghudson@mit.edu>
Commit: d15930bec22781473c2eaf72c08a145508b373ba
Branch: master
src/kadmin/dbutil/dump.c | 14 +++++++++++++-
1 files changed, 13 insertions(+), 1 deletions(-)