| commit | 1174e0a6adcc4cfe7719e7090d75b4eda855998d | |
| author | Anders Kaseorg <andersk@mit.edu> | |
| Sun, 4 May 2014 09:30:25 +0000 (4 05:30 -0400) | ||
| committer | Stephan Wiesand <stephan.wiesand@desy.de> | |
| Thu, 26 Jun 2014 09:28:28 +0000 (26 05:28 -0400) | ||
| tree | 877861bc7a0866ee22019e19d9139706fa6e86b1 | treesnapshot (tar.gz zip) |
| parent | f99226a2ec12997060202e8badd3a67e66cd871b | commitdiff |
Fix buffer length validation in ktc_GetToken and knfs
The signed int tktLen is checked against a maximum size, then passed
as the unsigned size_t argument to memcpy. So we need to make sure it
isn’t negative.
This doesn’t appear to be exploitable: tktLen comes from the kernel,
which should have previously validated the length within the SETTOK
pioctl.
This bug was found with STACK <http://css.csail.mit.edu/stack/>.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-on: http://gerrit.openafs.org/11109
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit 9c10c202f1f2e516dde8b70c3a3b69a73d163070)
Change-Id: Id8dacdc00fd686d4f2ff234ffd6c8f5346d9e7b0
Reviewed-on: http://gerrit.openafs.org/11112
Reviewed-by: Perry Ruiter <pruiter@sinenomine.net>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
The signed int tktLen is checked against a maximum size, then passed
as the unsigned size_t argument to memcpy. So we need to make sure it
isn’t negative.
This doesn’t appear to be exploitable: tktLen comes from the kernel,
which should have previously validated the length within the SETTOK
pioctl.
This bug was found with STACK <http://css.csail.mit.edu/stack/>.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-on: http://gerrit.openafs.org/11109
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit 9c10c202f1f2e516dde8b70c3a3b69a73d163070)
Change-Id: Id8dacdc00fd686d4f2ff234ffd6c8f5346d9e7b0
Reviewed-on: http://gerrit.openafs.org/11112
Reviewed-by: Perry Ruiter <pruiter@sinenomine.net>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
| src/auth/ktc.c | diffblobblamehistory | |
| src/kauth/knfs.c | diffblobblamehistory |