Fix buffer length validation in ktc_GetToken and knfs
authorAnders Kaseorg <andersk@mit.edu>
Sun, 4 May 2014 09:30:25 +0000 (05:30 -0400)
committerJeffrey Altman <jaltman@your-file-system.com>
Sun, 4 May 2014 18:36:10 +0000 (14:36 -0400)
commit9c10c202f1f2e516dde8b70c3a3b69a73d163070
tree9050ad2551e08458960a513d886f2e2365e2eb3e
parent279345c231d0a2d9f6e8c2f76a5347bafd40e70b
Fix buffer length validation in ktc_GetToken and knfs

The signed int tktLen is checked against a maximum size, then passed
as the unsigned size_t argument to memcpy.  So we need to make sure it
isn’t negative.

This doesn’t appear to be exploitable: tktLen comes from the kernel,
which should have previously validated the length within the SETTOK
pioctl.

This bug was found with STACK <http://css.csail.mit.edu/stack/>.

Change-Id: I781bd300cad3d725d3517e7f6ac9e6423c417087
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-on: http://gerrit.openafs.org/11109
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
src/auth/ktc.c
src/kauth/knfs.c