Validate some counts that may be received from the network:

Check that they are non-negative, and that they are small enough to
avoid integer overflow when used in memory allocation calculations.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11411 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Jacques A. Vidrine
2002-09-09 14:03:03 +00:00
parent 2f8c0d7281
commit 9849899e7f
3 changed files with 19 additions and 12 deletions

View File

@@ -186,6 +186,8 @@ krb5_ret_xdr_data(krb5_storage *sp,
ret = krb5_ret_int32(sp, &size);
if(ret)
return ret;
if(size < 0)
return ERANGE;
data->length = size;
if (size) {
u_char foo[4];

View File

@@ -324,6 +324,8 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client,
pa.len = client->keys.len;
if(pa.len > UINT_MAX/sizeof(*pa.val))
return ERANGE;
pa.val = malloc(pa.len * sizeof(*pa.val));
if(pa.val == NULL)
return ENOMEM;
@@ -1079,6 +1081,10 @@ fix_transited_encoding(TransitedEncoding *tr,
return ret;
}
}
if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
ret = ERANGE;
goto free_realms;
}
tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
if(tmp == NULL){
ret = ENOMEM;

View File

@@ -318,8 +318,9 @@ krb5_domain_x500_decode(krb5_context context,
if(ret)
return ret;
/* remove empty components */
/* remove empty components and count realms */
q = &r;
*num_realms = 0;
for(p = r; p; ){
if(p->realm[0] == '\0'){
free(p->realm);
@@ -329,22 +330,20 @@ krb5_domain_x500_decode(krb5_context context,
}else{
q = &p->next;
p = p->next;
(*num_realms)++;
}
}
if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms))
return ERANGE;
{
char **R;
*realms = NULL;
*num_realms = 0;
R = malloc((*num_realms + 1) * sizeof(*R));
if (R == NULL)
return ENOMEM;
*realms = R;
while(r){
R = realloc(*realms, (*num_realms + 1) * sizeof(**realms));
if(R == NULL) {
free(*realms);
krb5_set_error_string (context, "malloc: out of memory");
return ENOMEM;
}
R[*num_realms] = r->realm;
(*num_realms)++;
*realms = R;
*R++ = r->realm;
p = r->next;
free(r);
r = p;