Validate some counts that may be received from the network:

Check that they are non-negative, and that they are small enough to avoid integer overflow when used in memory allocation calculations. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11411 ec53bebd-3082-4978-b11e-865c3cabbd6b
2002-09-09 14:03:03 +00:00
parent 2f8c0d7281
commit 9849899e7f
3 changed files with 19 additions and 12 deletions
--- a/kdc/kaserver.c
+++ b/kdc/kaserver.c
@@ -186,6 +186,8 @@ krb5_ret_xdr_data(krb5_storage *sp,
    ret = krb5_ret_int32(sp, &size);
    if(ret)
 	return ret;
+    if(size < 0)
+	return ERANGE;
    data->length = size;
    if (size) {
 	u_char foo[4];
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -324,6 +324,8 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client,
    

    pa.len = client->keys.len;
+    if(pa.len > UINT_MAX/sizeof(*pa.val))
+	return ERANGE;
    pa.val = malloc(pa.len * sizeof(*pa.val));
    if(pa.val == NULL)
 	return ENOMEM;
@@ -1079,6 +1081,10 @@ fix_transited_encoding(TransitedEncoding *tr,
 		return ret;
 	    }
 	}
+	if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+	    ret = ERANGE;
+	    goto free_realms;
+	}
 	tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
 	if(tmp == NULL){
 	    ret = ENOMEM;