2006-04-10 NeilBrown <neilb@suse.de>

	Various paranoia checks:
	gssd_proc.c: pass max_field sizes to sscanf to avoid buffer
	  overflow
	svcgssd_proc.c: range_check name.length, to ensure name.length+1
	  doesn't wrap
	idmapd.c(nfsdcb): make sure at least one byte is read before
	 zeroing the last byte that was read, otherwise memory corruption
	 is possible.

	Found by SuSE security audit.

diff --git a/ChangeLog b/ChangeLog
index 91511830ce4be403d59f5e683794eaa5e03cde42..789d3b465ccb09d782e10f4667075295ef880309 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2006-04-10 NeilBrown <neilb@suse.de>
+       Various paranoia checks:
+       gssd_proc.c: pass max_field sizes to sscanf to avoid buffer
+         overflow
+       svcgssd_proc.c: range_check name.length, to ensure name.length+1
+         doesn't wrap
+       idmapd.c(nfsdcb): make sure at least one byte is read before
+        zeroing the last byte that was read, otherwise memory corruption
+        is possible.
+
+       Found by SuSE security audit.
+       
 2006-04-10 "Kevin Coffman" <kwc@citi.umich.edu>
        Check for sufficient version of librpcsecgss and libgssapi
        in configure.in

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index bac05203f02ebc764235b46dd966f50c39eb5cb6..75a04f5ba23744af9c0a347db1d9447cd5d60da3 100644 (file)
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -127,10 +127,10 @@ read_service_info(char *info_file_name, char **servicename, char **servername,
                goto fail;
        close(fd);
 
-       numfields = sscanf(buf,"RPC server: %s\n"
-                  "service: %s %s version %s\n"
-                  "address: %s\n"
-                  "protocol: %s\n",
+       numfields = sscanf(buf,"RPC server: %127s\n"
+                  "service: %127s %15s version %15s\n"
+                  "address: %127s\n"
+                  "protocol: %15s\n",
                   dummy,
                   service, program, version,
                   address,

diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c
index 14b7f17c61bd0ded02a0885f8c14230bebbadc22..b3a6ae8cda53d351e2a236867094564e9df89b33 100644 (file)
--- a/utils/gssd/svcgssd_proc.c
+++ b/utils/gssd/svcgssd_proc.c
@@ -200,7 +200,8 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
                        maj_stat, min_stat, mech);
                goto out;
        }
-       if (!(sname = calloc(name.length + 1, 1))) {
+       if (name.length >= 0xffff || /* be certain name.length+1 doesn't overflow */
+           !(sname = calloc(name.length + 1, 1))) {
                printerr(0, "WARNING: get_ids: error allocating %d bytes "
                        "for sname\n", name.length + 1);
                gss_release_buffer(&min_stat, &name);

diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
index 5712edbded40b635e85ce53270fcb779795d2a33..158feaf66c11627beb931ab253d7c56cb9722c6b 100644 (file)
--- a/utils/idmapd/idmapd.c
+++ b/utils/idmapd/idmapd.c
@@ -547,9 +547,10 @@ nfsdcb(int fd, short which, void *data)
        if (which != EV_READ)
                goto out;
 
-       if ((len = read(ic->ic_fd, buf, sizeof(buf))) == -1) {
+       if ((len = read(ic->ic_fd, buf, sizeof(buf))) <= 0) {
                idmapd_warnx("nfsdcb: read(%s) failed: errno %d (%s)",
-                            ic->ic_path, errno, strerror(errno));
+                            ic->ic_path, len?errno:0, 
+                            len?strerror(errno):"End of File");
                goto out;
        }