From 9c10c202f1f2e516dde8b70c3a3b69a73d163070 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Sun, 4 May 2014 05:30:25 -0400 Subject: [PATCH] Fix buffer length validation in ktc_GetToken and knfs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The signed int tktLen is checked against a maximum size, then passed as the unsigned size_t argument to memcpy. So we need to make sure it isn’t negative. This doesn’t appear to be exploitable: tktLen comes from the kernel, which should have previously validated the length within the SETTOK pioctl. This bug was found with STACK . Change-Id: I781bd300cad3d725d3517e7f6ac9e6423c417087 Signed-off-by: Anders Kaseorg Reviewed-on: http://gerrit.openafs.org/11109 Reviewed-by: Chas Williams - CONTRACTOR Tested-by: BuildBot Reviewed-by: Jeffrey Altman --- src/auth/ktc.c | 2 +- src/kauth/knfs.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/auth/ktc.c b/src/auth/ktc.c index 002f53bb5d..6853b0fc0a 100644 --- a/src/auth/ktc.c +++ b/src/auth/ktc.c @@ -682,7 +682,7 @@ GetToken(struct ktc_principal *aserver, struct ktc_token *atoken, /* got token for cell; check that it will fit */ maxLen = atokenLen - sizeof(struct ktc_token) + MAXKTCTICKETLEN; - if (maxLen < tktLen) { + if (tktLen < 0 || tktLen > maxLen) { UNLOCK_GLOBAL_MUTEX; return KTC_TOOBIG; } diff --git a/src/kauth/knfs.c b/src/kauth/knfs.c index 628982954b..e7c257a17e 100644 --- a/src/kauth/knfs.c +++ b/src/kauth/knfs.c @@ -163,7 +163,7 @@ GetTokens(afs_int32 ahost, afs_int32 auid) maxLen = sizeof(token) - sizeof(struct ktc_token) + MAXKTCTICKETLEN; - if (maxLen < tktLen) + if (tktLen < 0 || tktLen > maxLen) return KTC_TOOBIG; memcpy(token.ticket, stp, tktLen); token.startTime = ct.BeginTimestamp;