Attachment 146830 Details for Bug 214208 – libtirpc-0.1.7-CVE-2007-3999.patch

[patch] libtirpc-0.1.7-CVE-2007-3999.patch

libtirpc-0.1.7-CVE-2007-3999.patch (text/plain), 1.27 KB, created by Robert Buchholz (RETIRED) on 2008-03-22 01:41:37 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Buchholz (RETIRED)

Created: 2008-03-22 01:41:37 UTC

Size: 1.27 KB

patch

obsolete

>commit 3cf1a3ce1a409e647f9b8ca4497c26e6d066f293
>Author: Steve Dickson <steved@redhat.com>
>Date:   Thu Jan 24 15:01:22 2008 -0500
>
>    Protect from buffer overflow in the GSS code.
>    
>    Signed-off-by: Steve Dickson <steved@redhat.com>
>
>diff -up libtirpc-0.1.7/src/svc_auth_gss.c.orig libtirpc-0.1.7/src/svc_auth_gss.c
>--- libtirpc-0.1.7/src/svc_auth_gss.c.orig	2008-01-24 14:41:21.000000000 -0500
>+++ libtirpc-0.1.7/src/svc_auth_gss.c	2008-01-24 14:59:31.000000000 -0500
>@@ -294,6 +294,15 @@ svcauth_gss_validate(struct svc_rpc_gss_
> 	memset(rpchdr, 0, sizeof(rpchdr));
> 
> 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
>+	oa = &msg->rm_call.cb_cred;
>+	if (oa->oa_length > MAX_AUTH_BYTES)
>+		return (FALSE);
>+	
>+	/* 8 XDR units from the IXDR macro calls. */
>+	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
>+			RNDUP(oa->oa_length)))
>+		return (FALSE);
>+
> 	buf = (int32_t *)rpchdr;
> 	IXDR_PUT_LONG(buf, msg->rm_xid);
> 	IXDR_PUT_ENUM(buf, msg->rm_direction);
>@@ -301,7 +310,6 @@ svcauth_gss_validate(struct svc_rpc_gss_
> 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
> 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
> 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
>-	oa = &msg->rm_call.cb_cred;
> 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
> 	IXDR_PUT_LONG(buf, oa->oa_length);
> 	if (oa->oa_length) {

Actions: View | Diff

Attachments on bug 214208: 146830