Validate some counts that may be received from the network:

Check that they are non-negative, and that they are small enough to avoid integer overflow when used in memory allocation calculations. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11411 ec53bebd-3082-4978-b11e-865c3cabbd6b
2002-09-09 14:03:03 +00:00
parent 2f8c0d7281
commit 9849899e7f
3 changed files with 19 additions and 12 deletions
--- a/kdc/kaserver.c
+++ b/kdc/kaserver.c
@@ -186,6 +186,8 @@ krb5_ret_xdr_data(krb5_storage *sp,
    ret = krb5_ret_int32(sp, &size);
    if(ret)
 	return ret;
+    if(size < 0)
+	return ERANGE;
    data->length = size;
    if (size) {
 	u_char foo[4];
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -324,6 +324,8 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client,
    

    pa.len = client->keys.len;
+    if(pa.len > UINT_MAX/sizeof(*pa.val))
+	return ERANGE;
    pa.val = malloc(pa.len * sizeof(*pa.val));
    if(pa.val == NULL)
 	return ENOMEM;
@@ -1079,6 +1081,10 @@ fix_transited_encoding(TransitedEncoding *tr,
 		return ret;
 	    }
 	}
+	if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+	    ret = ERANGE;
+	    goto free_realms;
+	}
 	tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
 	if(tmp == NULL){
 	    ret = ENOMEM;
--- a/lib/krb5/transited.c
+++ b/lib/krb5/transited.c
@@ -318,8 +318,9 @@ krb5_domain_x500_decode(krb5_context context,
    if(ret)
 	return ret;
    
-    /* remove empty components */
+    /* remove empty components and count realms */
    q = &r;
+    *num_realms = 0;
    for(p = r; p; ){
 	if(p->realm[0] == '\0'){
 	    free(p->realm);
@@ -329,22 +330,20 @@ krb5_domain_x500_decode(krb5_context context,
 	}else{
 	    q = &p->next;
 	    p = p->next;
+	    (*num_realms)++;
 	}
    }
+    if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms))
+	return ERANGE;
+
    {
 	char **R;
-	*realms = NULL;
-	*num_realms = 0;
+	R = malloc((*num_realms + 1) * sizeof(*R));
+	if (R == NULL)
+	    return ENOMEM;
+	*realms = R;
 	while(r){
-	    R = realloc(*realms, (*num_realms + 1) * sizeof(**realms));
-	    if(R == NULL) {
-		free(*realms);
-		krb5_set_error_string (context, "malloc: out of memory");
-		return ENOMEM;
-	    }
-	    R[*num_realms] = r->realm;
-	    (*num_realms)++;
-	    *realms = R;
+	    *R++ = r->realm;
 	    p = r->next;
 	    free(r);
 	    r = p;