1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-24 04:33:24 +00:00

Fix buffer overflow in kadmind4 (remote user can gain root access to

KDC host).

Obtained from:	Tom Yu <tlyu@mit.edu> on kerberos-announce mailing list,
		MIT krb5 Security Advisory 2002-002
This commit is contained in:
Cy Schubert 2002-10-23 22:30:39 +00:00
parent c70dadd8bf
commit cf7aca2a64
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=68693
8 changed files with 108 additions and 0 deletions

View File

@ -7,6 +7,7 @@
PORTNAME= krb5
PORTVERSION= 1.2.6
PORTREVISION= 1
CATEGORIES= security
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO"
MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/

View File

@ -0,0 +1,26 @@
--- kadmin/v4server/kadm_ser_wrap.c.orig Tue May 23 14:44:50 2000
+++ kadmin/v4server/kadm_ser_wrap.c Wed Oct 23 15:15:24 2002
@@ -170,14 +170,21 @@
u_char *retdat, *tmpdat;
int retval, retlen;
- if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+ if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
+ || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
errpkt(dat, dat_len, KADM_BAD_VER);
return KADM_BAD_VER;
}
in_len = KADM_VERSIZE;
/* get the length */
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
+ || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
+ || (*dat_len - r_len - KADM_VERSIZE -
+ sizeof(krb5_ui_4) > sizeof(authent.dat))) {
+ errpkt(dat, dat_len, KADM_LENGTH_ERROR);
return KADM_LENGTH_ERROR;
+ }
+
in_len += retc;
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);

View File

@ -7,6 +7,7 @@
PORTNAME= krb5
PORTVERSION= 1.2.6
PORTREVISION= 1
CATEGORIES= security
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO"
MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/

View File

@ -0,0 +1,26 @@
--- kadmin/v4server/kadm_ser_wrap.c.orig Tue May 23 14:44:50 2000
+++ kadmin/v4server/kadm_ser_wrap.c Wed Oct 23 15:15:24 2002
@@ -170,14 +170,21 @@
u_char *retdat, *tmpdat;
int retval, retlen;
- if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+ if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
+ || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
errpkt(dat, dat_len, KADM_BAD_VER);
return KADM_BAD_VER;
}
in_len = KADM_VERSIZE;
/* get the length */
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
+ || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
+ || (*dat_len - r_len - KADM_VERSIZE -
+ sizeof(krb5_ui_4) > sizeof(authent.dat))) {
+ errpkt(dat, dat_len, KADM_LENGTH_ERROR);
return KADM_LENGTH_ERROR;
+ }
+
in_len += retc;
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);

View File

@ -7,6 +7,7 @@
PORTNAME= krb5
PORTVERSION= 1.2.6
PORTREVISION= 1
CATEGORIES= security
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO"
MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/

View File

@ -0,0 +1,26 @@
--- kadmin/v4server/kadm_ser_wrap.c.orig Tue May 23 14:44:50 2000
+++ kadmin/v4server/kadm_ser_wrap.c Wed Oct 23 15:15:24 2002
@@ -170,14 +170,21 @@
u_char *retdat, *tmpdat;
int retval, retlen;
- if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+ if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
+ || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
errpkt(dat, dat_len, KADM_BAD_VER);
return KADM_BAD_VER;
}
in_len = KADM_VERSIZE;
/* get the length */
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
+ || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
+ || (*dat_len - r_len - KADM_VERSIZE -
+ sizeof(krb5_ui_4) > sizeof(authent.dat))) {
+ errpkt(dat, dat_len, KADM_LENGTH_ERROR);
return KADM_LENGTH_ERROR;
+ }
+
in_len += retc;
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);

View File

@ -7,6 +7,7 @@
PORTNAME= krb5
PORTVERSION= 1.2.6
PORTREVISION= 1
CATEGORIES= security
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO"
MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/

View File

@ -0,0 +1,26 @@
--- kadmin/v4server/kadm_ser_wrap.c.orig Tue May 23 14:44:50 2000
+++ kadmin/v4server/kadm_ser_wrap.c Wed Oct 23 15:15:24 2002
@@ -170,14 +170,21 @@
u_char *retdat, *tmpdat;
int retval, retlen;
- if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+ if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
+ || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
errpkt(dat, dat_len, KADM_BAD_VER);
return KADM_BAD_VER;
}
in_len = KADM_VERSIZE;
/* get the length */
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
+ || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
+ || (*dat_len - r_len - KADM_VERSIZE -
+ sizeof(krb5_ui_4) > sizeof(authent.dat))) {
+ errpkt(dat, dat_len, KADM_LENGTH_ERROR);
return KADM_LENGTH_ERROR;
+ }
+
in_len += retc;
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);