oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: Fix UB

Browse Source
This commit is contained in:
Nicolas Williams
2022-10-26 01:54:13 -05:00
parent 5b1c69b424
commit 8e9ad6eda2
6 changed files with 29 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/krb5/aes-test.c
View File

@@ -328,7 +328,8 @@ krb_enc(krb5_context context,
}
if (decrypt.length != clear->length ||
memcmp(decrypt.data, clear->data, decrypt.length) != 0) {
(decrypt.length &&
memcmp(decrypt.data, clear->data, decrypt.length) != 0)) {
krb5_warnx(context, "clear text not same");
return EINVAL;
}
@@ -568,7 +569,8 @@ krb_enc_mit(krb5_context context,
return ret;
if (decrypt.length != clear->length ||
memcmp(decrypt.data, clear->data, decrypt.length) != 0) {
(decrypt.length &&
memcmp(decrypt.data, clear->data, decrypt.length) != 0)) {
krb5_warnx(context, "clear text not same");
return EINVAL;
}

7
lib/krb5/crypto-evp.c
View File

@@ -82,9 +82,11 @@ _krb5_evp_digest_iov(krb5_crypto crypto,
if (ret != 1)
goto out;
/* Minimize EVP calls by coalescing contiguous iovec elements */
for (i = 0; i < niov; i++) {
if (_krb5_crypto_iov_should_sign(&iov[i])) {
if ((char *)current.data + current.length == iov[i].data.data) {
if (current.data &&
(char *)current.data + current.length == iov[i].data.data) {
current.length += iov[i].data.length;
} else {
if (current.data) {
@@ -145,7 +147,8 @@ _krb5_evp_hmac_iov(krb5_context context,
for (i = 0; i < niov; i++) {
if (_krb5_crypto_iov_should_sign(&iov[i])) {
if ((char *)current.data + current.length == iov[i].data.data) {
if (current.data &&
(char *)current.data + current.length == iov[i].data.data) {
current.length += iov[i].data.length;
} else {
if (current.data)

5
lib/krb5/salt-aes-sha2.c
View File

@@ -92,8 +92,9 @@ AES_SHA2_string_to_key(krb5_context context,
goto cleanup;
}
memcpy(saltp.data, et->name, enctypesz);
memcpy((unsigned char *)saltp.data + enctypesz,
salt.saltvalue.data, salt.saltvalue.length);
if (salt.saltvalue.length)
memcpy((unsigned char *)saltp.data + enctypesz,
salt.saltvalue.data, salt.saltvalue.length);
ret = _krb5_aes_sha2_md_for_enctype(context, enctype, &md);
if (ret)

3
lib/krb5/salt-des.c
View File

@@ -194,7 +194,8 @@ krb5_DES_string_to_key(krb5_context context,
if (len > 0 && s == NULL)
return krb5_enomem(context);
memcpy(s, password.data, password.length);
memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
if (salt.saltvalue.length)
memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
DES_string_to_key_int(s, len, &tmp);
key->keytype = enctype;
krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));

3
lib/krb5/salt-des3.c
View File

@@ -113,7 +113,8 @@ DES3_string_to_key_derived(krb5_context context,
if (len != 0 && s == NULL)
return krb5_enomem(context);
memcpy(s, password.data, password.length);
memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
if (salt.saltvalue.length)
memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
ret = krb5_string_to_key_derived(context,
s,
len,

18
lib/krb5/store_emem.c
View File

@@ -84,7 +84,8 @@ emem_store(krb5_storage *sp, const void *data, size_t size)
s->base = base;
s->ptr = (unsigned char*)base + off;
}
memmove(s->ptr, data, size);
if (size)
memmove(s->ptr, data, size);
sp->seek(sp, size, SEEK_CUR);
return size;
}
@@ -125,10 +126,17 @@ emem_trunc(krb5_storage *sp, off_t offset)
* shrunk more then half of the current size, adjust buffer.
*/
if (offset == 0) {
free(s->base);
s->size = 0;
s->base = NULL;
s->ptr = NULL;
if (s->size > 1024) {
void *base;
base = realloc(s->base, 1024);
if (base) {
s->base = base;
s->size = 1024;
}
}
s->len = 0;
s->ptr = s->base;
} else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) {
void *base;
size_t off;