oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Protect against negative n_ks_tuple values and against randkey returning negative n_keys

Browse Source
This commit is contained in:
Nicolas Williams
2011-07-24 11:08:58 -05:00
parent 95262936c7
commit 11c54cd6c8
2 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
kadmin/server.c
View File

@@ -395,6 +395,12 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
} else if (ret == 0) { } else if (ret == 0) {
size_t i; size_t i;
if (n_ks_tuple < 0) {
ret = EOVERFLOW;
krb5_free_principal(contextp->context, princ);
goto fail;
}
if ((ks_tuple = calloc(n_ks_tuple, sizeof (*ks_tuple))) == NULL) { if ((ks_tuple = calloc(n_ks_tuple, sizeof (*ks_tuple))) == NULL) {
ret = errno; ret = errno;
krb5_free_principal(contextp->context, princ); krb5_free_principal(contextp->context, princ);

4
lib/kadm5/randkey_c.c
View File

@@ -113,6 +113,10 @@ kadm5_c_randkey_principal(void *server_handle,
int i; int i;
krb5_ret_int32(sp, &tmp); krb5_ret_int32(sp, &tmp);
if (tmp < 0) {
ret = EOVERFLOW;
goto out;
}
k = malloc(tmp * sizeof(*k)); k = malloc(tmp * sizeof(*k));
if (k == NULL) { if (k == NULL) {
ret = ENOMEM; ret = ENOMEM;