From 660809fe7e597520d17deab9225f1b371c08d65c Mon Sep 17 00:00:00 2001 From: neilbrown Date: Mon, 10 Apr 2006 09:57:17 +0000 Subject: [PATCH] 2006-04-10 NeilBrown Various paranoia checks: gssd_proc.c: pass max_field sizes to sscanf to avoid buffer overflow svcgssd_proc.c: range_check name.length, to ensure name.length+1 doesn't wrap idmapd.c(nfsdcb): make sure at least one byte is read before zeroing the last byte that was read, otherwise memory corruption is possible. Found by SuSE security audit. --- ChangeLog | 12 ++++++++++++ utils/gssd/gssd_proc.c | 8 ++++---- utils/gssd/svcgssd_proc.c | 3 ++- utils/idmapd/idmapd.c | 5 +++-- 4 files changed, 21 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9151183..789d3b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2006-04-10 NeilBrown + Various paranoia checks: + gssd_proc.c: pass max_field sizes to sscanf to avoid buffer + overflow + svcgssd_proc.c: range_check name.length, to ensure name.length+1 + doesn't wrap + idmapd.c(nfsdcb): make sure at least one byte is read before + zeroing the last byte that was read, otherwise memory corruption + is possible. + + Found by SuSE security audit. + 2006-04-10 "Kevin Coffman" Check for sufficient version of librpcsecgss and libgssapi in configure.in diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index bac0520..75a04f5 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -127,10 +127,10 @@ read_service_info(char *info_file_name, char **servicename, char **servername, goto fail; close(fd); - numfields = sscanf(buf,"RPC server: %s\n" - "service: %s %s version %s\n" - "address: %s\n" - "protocol: %s\n", + numfields = sscanf(buf,"RPC server: %127s\n" + "service: %127s %15s version %15s\n" + "address: %127s\n" + "protocol: %15s\n", dummy, service, program, version, address, diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c index 14b7f17..b3a6ae8 100644 --- a/utils/gssd/svcgssd_proc.c +++ b/utils/gssd/svcgssd_proc.c @@ -200,7 +200,8 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred) maj_stat, min_stat, mech); goto out; } - if (!(sname = calloc(name.length + 1, 1))) { + if (name.length >= 0xffff || /* be certain name.length+1 doesn't overflow */ + !(sname = calloc(name.length + 1, 1))) { printerr(0, "WARNING: get_ids: error allocating %d bytes " "for sname\n", name.length + 1); gss_release_buffer(&min_stat, &name); diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c index 5712edb..158feaf 100644 --- a/utils/idmapd/idmapd.c +++ b/utils/idmapd/idmapd.c @@ -547,9 +547,10 @@ nfsdcb(int fd, short which, void *data) if (which != EV_READ) goto out; - if ((len = read(ic->ic_fd, buf, sizeof(buf))) == -1) { + if ((len = read(ic->ic_fd, buf, sizeof(buf))) <= 0) { idmapd_warnx("nfsdcb: read(%s) failed: errno %d (%s)", - ic->ic_path, errno, strerror(errno)); + ic->ic_path, len?errno:0, + len?strerror(errno):"End of File"); goto out; } -- 2.39.5