diff mbox

[v3] Avoid buffer overruns by allocating buffer in svcauth_gss_validate()

Message ID 1401304171-12231-1-git-send-email-steved@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Steve Dickson May 28, 2014, 7:09 p.m. UTC
Signed-off-by: Steve Dickson <steved@redhat.com>
---
 src/svc_auth_gss.c |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

Comments

Chuck Lever III May 28, 2014, 7:11 p.m. UTC | #1
On May 28, 2014, at 3:09 PM, Steve Dickson <steved@redhat.com> wrote:

> Signed-off-by: Steve Dickson <steved@redhat.com>

Reviewed-by: Chuck Lever <chuck.lever@oracle.com>

> ---
> src/svc_auth_gss.c |   14 +++++++-------
> 1 files changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
> index 601a691..26c1065 100644
> --- a/src/svc_auth_gss.c
> +++ b/src/svc_auth_gss.c
> @@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
> 	struct opaque_auth	*oa;
> 	gss_buffer_desc		 rpcbuf, checksum;
> 	OM_uint32		 maj_stat, min_stat, qop_state;
> -	u_char			 rpchdr[128];
> +	u_char			 *rpchdr;
> 	int32_t			*buf;
> 
> 	gss_log_debug("in svcauth_gss_validate()");
> 
> -	memset(rpchdr, 0, sizeof(rpchdr));
> -
> 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
> 	oa = &msg->rm_call.cb_cred;
> 	if (oa->oa_length > MAX_AUTH_BYTES)
> 		return (FALSE);
> -	
> -	/* 8 XDR units from the IXDR macro calls. */
> -	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
> -			RNDUP(oa->oa_length)))
> +
> +	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
> +			RNDUP(oa->oa_length)), 1);
> +	if (rpchdr == NULL)
> 		return (FALSE);
> 
> 	buf = (int32_t *)rpchdr;
> @@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
> 	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
> 				  &qop_state);
> 
> +	free(rpchdr);
> +
> 	if (maj_stat != GSS_S_COMPLETE) {
> 		gss_log_status("gss_verify_mic", maj_stat, min_stat);
> 		return (FALSE);
> -- 
> 1.7.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com



--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Steve Dickson May 28, 2014, 9:24 p.m. UTC | #2
On 05/28/2014 03:11 PM, Chuck Lever wrote:
> 
> On May 28, 2014, at 3:09 PM, Steve Dickson <steved@redhat.com> wrote:
> 
>> Signed-off-by: Steve Dickson <steved@redhat.com>
> 
> Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Thank you... For your time! 

steved.

> 
>> ---
>> src/svc_auth_gss.c |   14 +++++++-------
>> 1 files changed, 7 insertions(+), 7 deletions(-)
>>
>> diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
>> index 601a691..26c1065 100644
>> --- a/src/svc_auth_gss.c
>> +++ b/src/svc_auth_gss.c
>> @@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
>> 	struct opaque_auth	*oa;
>> 	gss_buffer_desc		 rpcbuf, checksum;
>> 	OM_uint32		 maj_stat, min_stat, qop_state;
>> -	u_char			 rpchdr[128];
>> +	u_char			 *rpchdr;
>> 	int32_t			*buf;
>>
>> 	gss_log_debug("in svcauth_gss_validate()");
>>
>> -	memset(rpchdr, 0, sizeof(rpchdr));
>> -
>> 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
>> 	oa = &msg->rm_call.cb_cred;
>> 	if (oa->oa_length > MAX_AUTH_BYTES)
>> 		return (FALSE);
>> -	
>> -	/* 8 XDR units from the IXDR macro calls. */
>> -	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
>> -			RNDUP(oa->oa_length)))
>> +
>> +	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
>> +			RNDUP(oa->oa_length)), 1);
>> +	if (rpchdr == NULL)
>> 		return (FALSE);
>>
>> 	buf = (int32_t *)rpchdr;
>> @@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
>> 	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
>> 				  &qop_state);
>>
>> +	free(rpchdr);
>> +
>> 	if (maj_stat != GSS_S_COMPLETE) {
>> 		gss_log_status("gss_verify_mic", maj_stat, min_stat);
>> 		return (FALSE);
>> -- 
>> 1.7.1
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
> 
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Steve Dickson May 29, 2014, 1:43 p.m. UTC | #3
On 05/28/2014 03:09 PM, Steve Dickson wrote:
> Signed-off-by: Steve Dickson <steved@redhat.com>
Committed... 

steved.

> ---
>  src/svc_auth_gss.c |   14 +++++++-------
>  1 files changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
> index 601a691..26c1065 100644
> --- a/src/svc_auth_gss.c
> +++ b/src/svc_auth_gss.c
> @@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
>  	struct opaque_auth	*oa;
>  	gss_buffer_desc		 rpcbuf, checksum;
>  	OM_uint32		 maj_stat, min_stat, qop_state;
> -	u_char			 rpchdr[128];
> +	u_char			 *rpchdr;
>  	int32_t			*buf;
>  
>  	gss_log_debug("in svcauth_gss_validate()");
>  
> -	memset(rpchdr, 0, sizeof(rpchdr));
> -
>  	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
>  	oa = &msg->rm_call.cb_cred;
>  	if (oa->oa_length > MAX_AUTH_BYTES)
>  		return (FALSE);
> -	
> -	/* 8 XDR units from the IXDR macro calls. */
> -	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
> -			RNDUP(oa->oa_length)))
> +
> +	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
> +			RNDUP(oa->oa_length)), 1);
> +	if (rpchdr == NULL)
>  		return (FALSE);
>  
>  	buf = (int32_t *)rpchdr;
> @@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
>  	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
>  				  &qop_state);
>  
> +	free(rpchdr);
> +
>  	if (maj_stat != GSS_S_COMPLETE) {
>  		gss_log_status("gss_verify_mic", maj_stat, min_stat);
>  		return (FALSE);
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
index 601a691..26c1065 100644
--- a/src/svc_auth_gss.c
+++ b/src/svc_auth_gss.c
@@ -286,21 +286,19 @@  svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
 	struct opaque_auth	*oa;
 	gss_buffer_desc		 rpcbuf, checksum;
 	OM_uint32		 maj_stat, min_stat, qop_state;
-	u_char			 rpchdr[128];
+	u_char			 *rpchdr;
 	int32_t			*buf;
 
 	gss_log_debug("in svcauth_gss_validate()");
 
-	memset(rpchdr, 0, sizeof(rpchdr));
-
 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
 	oa = &msg->rm_call.cb_cred;
 	if (oa->oa_length > MAX_AUTH_BYTES)
 		return (FALSE);
-	
-	/* 8 XDR units from the IXDR macro calls. */
-	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
-			RNDUP(oa->oa_length)))
+
+	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
+			RNDUP(oa->oa_length)), 1);
+	if (rpchdr == NULL)
 		return (FALSE);
 
 	buf = (int32_t *)rpchdr;
@@ -325,6 +323,8 @@  svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
 	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
 				  &qop_state);
 
+	free(rpchdr);
+
 	if (maj_stat != GSS_S_COMPLETE) {
 		gss_log_status("gss_verify_mic", maj_stat, min_stat);
 		return (FALSE);