gss: Fix UB
This commit is contained in:
Nicolas Williams
@@ -1623,7 +1623,10 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
memcpy(buf, message_buffer->value, message_buffer->length);
|
||||
if (message_buffer->length)
|
||||
memcpy(buf, message_buffer->value, message_buffer->length);
|
||||
else
|
||||
memset(buf, 0, len);
|
||||
|
||||
token = (gss_cfx_mic_token)(buf + message_buffer->length);
|
||||
token->TOK_ID[0] = 0x04;
|
||||
@@ -1773,7 +1776,8 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
|
||||
*minor_status = ENOMEM;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
memcpy(buf, message_buffer->value, message_buffer->length);
|
||||
if (message_buffer->length)
|
||||
memcpy(buf, message_buffer->value, message_buffer->length);
|
||||
memcpy(buf + message_buffer->length, token, sizeof(*token));
|
||||
|
||||
ret = krb5_verify_checksum(context, ctx->crypto,
|
||||
|
||||
@@ -190,7 +190,10 @@ void
|
||||
_gss_mg_decode_le_uint32(const void *ptr, uint32_t *n)
|
||||
{
|
||||
const uint8_t *p = ptr;
|
||||
*n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
|
||||
*n = ((uint32_t)p[0] << 0)
|
||||
| ((uint32_t)p[1] << 8)
|
||||
| ((uint32_t)p[2] << 16)
|
||||
| ((uint32_t)p[3] << 24);
|
||||
}
|
||||
|
||||
void
|
||||
|
||||
@@ -734,17 +734,29 @@ wrapunwrap_iov(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid)
|
||||
token.data = emalloc(token.length);
|
||||
|
||||
p = token.data;
|
||||
memcpy(p, iov[0].buffer.value, iov[0].buffer.length);
|
||||
|
||||
if (iov[0].buffer.length)
|
||||
memcpy(p, iov[0].buffer.value, iov[0].buffer.length);
|
||||
p += iov[0].buffer.length;
|
||||
memcpy(p, iov[1].buffer.value, iov[1].buffer.length);
|
||||
|
||||
if (iov[1].buffer.length)
|
||||
memcpy(p, iov[1].buffer.value, iov[1].buffer.length);
|
||||
p += iov[1].buffer.length;
|
||||
memcpy(p, iov[2].buffer.value, iov[2].buffer.length);
|
||||
|
||||
if (iov[2].buffer.length)
|
||||
memcpy(p, iov[2].buffer.value, iov[2].buffer.length);
|
||||
p += iov[2].buffer.length;
|
||||
memcpy(p, iov[3].buffer.value, iov[3].buffer.length);
|
||||
|
||||
if (iov[3].buffer.length)
|
||||
memcpy(p, iov[3].buffer.value, iov[3].buffer.length);
|
||||
p += iov[3].buffer.length;
|
||||
memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
|
||||
|
||||
if (iov[4].buffer.length)
|
||||
memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
|
||||
p += iov[4].buffer.length;
|
||||
memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
|
||||
|
||||
if (iov[5].buffer.length)
|
||||
memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
|
||||
p += iov[5].buffer.length;
|
||||
|
||||
assert(p - ((unsigned char *)token.data) == token.length);
|
||||
@@ -1336,7 +1348,7 @@ main(int argc, char **argv)
|
||||
|
||||
if (out1.length != out2.length)
|
||||
errx(1, "prf len mismatch");
|
||||
if (memcmp(out1.value, out2.value, out1.length) != 0)
|
||||
if (out1.length && memcmp(out1.value, out2.value, out1.length) != 0)
|
||||
errx(1, "prf data mismatch");
|
||||
|
||||
gss_release_buffer(&min_stat, &out1);
|
||||
@@ -1346,7 +1358,7 @@ main(int argc, char **argv)
|
||||
|
||||
if (out1.length != out2.length)
|
||||
errx(1, "prf len mismatch");
|
||||
if (memcmp(out1.value, out2.value, out1.length) != 0)
|
||||
if (out1.length && memcmp(out1.value, out2.value, out1.length) != 0)
|
||||
errx(1, "prf data mismatch");
|
||||
|
||||
gss_release_buffer(&min_stat, &out1);
|
||||
|
||||
Reference in New Issue
Block a user