While decoding arguments for kadm_chpass_with_key, sanity check the

number of keys given: must be non-negative, small enough that it is not truncated when stuffed into an int16_t for kadm5_free_key_data, and small enough to avoid integer overflow when calculating the memory required for the keys themselves. XXX Why does kadm5_free_key_data use int16_t? git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11415 ec53bebd-3082-4978-b11e-865c3cabbd6b
2002-09-09 14:40:08 +00:00
parent 5e6f1d8e82
commit 1d61dd312f
2 changed files with 12 additions and 0 deletions
--- a/kadmin/ChangeLog
+++ b/kadmin/ChangeLog
@@ -1,3 +1,8 @@
+2002-09-09  Jacques Vidrine  <nectar@kth.se>
+
+	* server.c (kadmind_dispatch): while decoding arguments for
+	kadm_chpass_with_key, sanity check the number of keys given
+
 2002-09-04  Johan Danielsson  <joda@pdc.kth.se>

 	* load.c (parse_generation): return if there is no generation
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -255,6 +255,13 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    krb5_free_principal(context->context, princ);
 	    goto fail;
 	}
+	/* n_key_data will be squeezed into an int16_t below. */
+	if (n_key_data < 0 || n_key_data >= 1 << 16 ||
+	    n_key_data > UINT_MAX/sizeof(*key_data)) {
+	    ret = ERANGE;
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}

 	key_data = malloc (n_key_data * sizeof(*key_data));
 	if (key_data == NULL) {