2006-04-10 NeilBrown <neilb@suse.de>
authorneilbrown <neilbrown>
Mon, 10 Apr 2006 09:57:17 +0000 (09:57 +0000)
committerneilbrown <neilbrown>
Mon, 10 Apr 2006 09:57:17 +0000 (09:57 +0000)
Various paranoia checks:
gssd_proc.c: pass max_field sizes to sscanf to avoid buffer
  overflow
svcgssd_proc.c: range_check name.length, to ensure name.length+1
  doesn't wrap
idmapd.c(nfsdcb): make sure at least one byte is read before
 zeroing the last byte that was read, otherwise memory corruption
 is possible.

Found by SuSE security audit.

ChangeLog
utils/gssd/gssd_proc.c
utils/gssd/svcgssd_proc.c
utils/idmapd/idmapd.c

index 9151183..789d3b4 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2006-04-10 NeilBrown <neilb@suse.de>
+       Various paranoia checks:
+       gssd_proc.c: pass max_field sizes to sscanf to avoid buffer
+         overflow
+       svcgssd_proc.c: range_check name.length, to ensure name.length+1
+         doesn't wrap
+       idmapd.c(nfsdcb): make sure at least one byte is read before
+        zeroing the last byte that was read, otherwise memory corruption
+        is possible.
+
+       Found by SuSE security audit.
+       
 2006-04-10 "Kevin Coffman" <kwc@citi.umich.edu>
        Check for sufficient version of librpcsecgss and libgssapi
        in configure.in
 2006-04-10 "Kevin Coffman" <kwc@citi.umich.edu>
        Check for sufficient version of librpcsecgss and libgssapi
        in configure.in
index bac0520..75a04f5 100644 (file)
@@ -127,10 +127,10 @@ read_service_info(char *info_file_name, char **servicename, char **servername,
                goto fail;
        close(fd);
 
                goto fail;
        close(fd);
 
-       numfields = sscanf(buf,"RPC server: %s\n"
-                  "service: %s %s version %s\n"
-                  "address: %s\n"
-                  "protocol: %s\n",
+       numfields = sscanf(buf,"RPC server: %127s\n"
+                  "service: %127s %15s version %15s\n"
+                  "address: %127s\n"
+                  "protocol: %15s\n",
                   dummy,
                   service, program, version,
                   address,
                   dummy,
                   service, program, version,
                   address,
index 14b7f17..b3a6ae8 100644 (file)
@@ -200,7 +200,8 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
                        maj_stat, min_stat, mech);
                goto out;
        }
                        maj_stat, min_stat, mech);
                goto out;
        }
-       if (!(sname = calloc(name.length + 1, 1))) {
+       if (name.length >= 0xffff || /* be certain name.length+1 doesn't overflow */
+           !(sname = calloc(name.length + 1, 1))) {
                printerr(0, "WARNING: get_ids: error allocating %d bytes "
                        "for sname\n", name.length + 1);
                gss_release_buffer(&min_stat, &name);
                printerr(0, "WARNING: get_ids: error allocating %d bytes "
                        "for sname\n", name.length + 1);
                gss_release_buffer(&min_stat, &name);
index 5712edb..158feaf 100644 (file)
@@ -547,9 +547,10 @@ nfsdcb(int fd, short which, void *data)
        if (which != EV_READ)
                goto out;
 
        if (which != EV_READ)
                goto out;
 
-       if ((len = read(ic->ic_fd, buf, sizeof(buf))) == -1) {
+       if ((len = read(ic->ic_fd, buf, sizeof(buf))) <= 0) {
                idmapd_warnx("nfsdcb: read(%s) failed: errno %d (%s)",
                idmapd_warnx("nfsdcb: read(%s) failed: errno %d (%s)",
-                            ic->ic_path, errno, strerror(errno));
+                            ic->ic_path, len?errno:0, 
+                            len?strerror(errno):"End of File");
                goto out;
        }
 
                goto out;
        }