gss: Fix UB

This commit is contained in:
Nicolas Williams
2022-10-26 01:53:47 -05:00
parent 8e9ad6eda2
commit bad07f7738
3 changed files with 30 additions and 11 deletions

View File

@@ -1623,7 +1623,10 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
memcpy(buf, message_buffer->value, message_buffer->length);
if (message_buffer->length)
memcpy(buf, message_buffer->value, message_buffer->length);
else
memset(buf, 0, len);
token = (gss_cfx_mic_token)(buf + message_buffer->length);
token->TOK_ID[0] = 0x04;
@@ -1773,7 +1776,8 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
memcpy(buf, message_buffer->value, message_buffer->length);
if (message_buffer->length)
memcpy(buf, message_buffer->value, message_buffer->length);
memcpy(buf + message_buffer->length, token, sizeof(*token));
ret = krb5_verify_checksum(context, ctx->crypto,

View File

@@ -190,7 +190,10 @@ void
_gss_mg_decode_le_uint32(const void *ptr, uint32_t *n)
{
const uint8_t *p = ptr;
*n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
*n = ((uint32_t)p[0] << 0)
| ((uint32_t)p[1] << 8)
| ((uint32_t)p[2] << 16)
| ((uint32_t)p[3] << 24);
}
void

View File

@@ -734,17 +734,29 @@ wrapunwrap_iov(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid)
token.data = emalloc(token.length);
p = token.data;
memcpy(p, iov[0].buffer.value, iov[0].buffer.length);
if (iov[0].buffer.length)
memcpy(p, iov[0].buffer.value, iov[0].buffer.length);
p += iov[0].buffer.length;
memcpy(p, iov[1].buffer.value, iov[1].buffer.length);
if (iov[1].buffer.length)
memcpy(p, iov[1].buffer.value, iov[1].buffer.length);
p += iov[1].buffer.length;
memcpy(p, iov[2].buffer.value, iov[2].buffer.length);
if (iov[2].buffer.length)
memcpy(p, iov[2].buffer.value, iov[2].buffer.length);
p += iov[2].buffer.length;
memcpy(p, iov[3].buffer.value, iov[3].buffer.length);
if (iov[3].buffer.length)
memcpy(p, iov[3].buffer.value, iov[3].buffer.length);
p += iov[3].buffer.length;
memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
if (iov[4].buffer.length)
memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
p += iov[4].buffer.length;
memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
if (iov[5].buffer.length)
memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
p += iov[5].buffer.length;
assert(p - ((unsigned char *)token.data) == token.length);
@@ -1336,7 +1348,7 @@ main(int argc, char **argv)
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
if (out1.length && memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
@@ -1346,7 +1358,7 @@ main(int argc, char **argv)
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
if (out1.length && memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);