Fix buffer length validation in ktc_GetToken and knfs

The signed int tktLen is checked against a maximum size, then passed as the unsigned size_t argument to memcpy. So we need to make sure it isn’t negative. This doesn’t appear to be exploitable: tktLen comes from the kernel, which should have previously validated the length within the SETTOK pioctl. This bug was found with STACK <http://css.csail.mit.edu/stack/>. Change-Id: I781bd300cad3d725d3517e7f6ac9e6423c417087 Signed-off-by: Anders Kaseorg <andersk@mit.edu> Reviewed-on: http://gerrit.openafs.org/11109 Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil> Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
2025-01-19 07:20:11 +00:00 · 2014-05-04 05:30:25 -04:00 · 2014-05-04 05:30:25 -04:00 · 9c10c202f1
commit 9c10c202f1
parent 279345c231
2 changed files with 2 additions and 2 deletions
--- a/src/auth/ktc.c
+++ b/src/auth/ktc.c
@ -682,7 +682,7 @@ GetToken(struct ktc_principal *aserver, struct ktc_token *atoken,
 		/* got token for cell; check that it will fit */
 		maxLen =
 		    atokenLen - sizeof(struct ktc_token) + MAXKTCTICKETLEN;
-		if (maxLen < tktLen) {
+		if (tktLen < 0 || tktLen > maxLen) {
 		    UNLOCK_GLOBAL_MUTEX;
 		    return KTC_TOOBIG;
 		}
--- a/src/kauth/knfs.c
+++ b/src/kauth/knfs.c
@ -163,7 +163,7 @@ GetTokens(afs_int32 ahost, afs_int32 auid)
 		maxLen =
 		    sizeof(token) - sizeof(struct ktc_token) +
 		    MAXKTCTICKETLEN;
-		if (maxLen < tktLen)
+		if (tktLen < 0 || tktLen > maxLen)
 		    return KTC_TOOBIG;
 		memcpy(token.ticket, stp, tktLen);
 		token.startTime = ct.BeginTimestamp;