Fix buffer length validation in ktc_GetToken and knfs
authorAnders Kaseorg <andersk@mit.edu>
Sun, 4 May 2014 09:30:25 +0000 (05:30 -0400)
committerJeffrey Altman <jaltman@your-file-system.com>
Sun, 4 May 2014 18:36:10 +0000 (14:36 -0400)
The signed int tktLen is checked against a maximum size, then passed
as the unsigned size_t argument to memcpy.  So we need to make sure it
isn’t negative.

This doesn’t appear to be exploitable: tktLen comes from the kernel,
which should have previously validated the length within the SETTOK
pioctl.

This bug was found with STACK <http://css.csail.mit.edu/stack/>.

Change-Id: I781bd300cad3d725d3517e7f6ac9e6423c417087
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-on: http://gerrit.openafs.org/11109
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>

src/auth/ktc.c
src/kauth/knfs.c

index 002f53b..6853b0f 100644 (file)
@@ -682,7 +682,7 @@ GetToken(struct ktc_principal *aserver, struct ktc_token *atoken,
                /* got token for cell; check that it will fit */
                maxLen =
                    atokenLen - sizeof(struct ktc_token) + MAXKTCTICKETLEN;
-               if (maxLen < tktLen) {
+               if (tktLen < 0 || tktLen > maxLen) {
                    UNLOCK_GLOBAL_MUTEX;
                    return KTC_TOOBIG;
                }
index 6289829..e7c257a 100644 (file)
@@ -163,7 +163,7 @@ GetTokens(afs_int32 ahost, afs_int32 auid)
                maxLen =
                    sizeof(token) - sizeof(struct ktc_token) +
                    MAXKTCTICKETLEN;
-               if (maxLen < tktLen)
+               if (tktLen < 0 || tktLen > maxLen)
                    return KTC_TOOBIG;
                memcpy(token.ticket, stp, tktLen);
                token.startTime = ct.BeginTimestamp;