Protect against negative n_ks_tuple values and against randkey returning negative n_keys

2011-07-24 11:08:58 -05:00
parent 95262936c7
commit 11c54cd6c8
2 changed files with 10 additions and 0 deletions
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -395,6 +395,12 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
 	} else if (ret == 0) {
 	    size_t i;

+	    if (n_ks_tuple < 0) {
+		ret = EOVERFLOW;
+		krb5_free_principal(contextp->context, princ);
+		goto fail;
+	    }
+
 	    if ((ks_tuple = calloc(n_ks_tuple, sizeof (*ks_tuple))) == NULL) {
 		ret = errno;
 		krb5_free_principal(contextp->context, princ);
--- a/lib/kadm5/randkey_c.c
+++ b/lib/kadm5/randkey_c.c
@@ -113,6 +113,10 @@ kadm5_c_randkey_principal(void *server_handle,
 	int i;

 	krb5_ret_int32(sp, &tmp);
+	if (tmp < 0) {
+	    ret = EOVERFLOW;
+	    goto out;
+	}
 	k = malloc(tmp * sizeof(*k));
 	if (k == NULL) {
 	    ret = ENOMEM;