* the context is complete.
*/
if (!(cp->gss_clnt_flags & GSS_CTX_COMPLETE)) {
+ if (verflen > KRB5_MAX_MIC_SIZE)
+ return (EBADRPC);
MALLOC(cp->gss_clnt_verf, u_char *, verflen, M_TEMP, M_WAITOK|M_ZERO);
if (cp->gss_clnt_verf == NULL)
return (ENOMEM);
nmc_tmp = *nmc;
nfsm_chain_adv(error, &nmc_tmp, reslen); // skip over the results
nfsm_chain_get_32(error, &nmc_tmp, cksum.length);
+ if (cksum.length > KRB5_MAX_MIC_SIZE) {
+ error = EBADRPC;
+ goto nfsmout;
+ }
MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
nfsm_chain_get_opaque(error, &nmc_tmp, cksum.length, cksum.value);
//XXX chop offf the cksum?
FREE(cp->gss_clnt_handle, M_TEMP);
cp->gss_clnt_handle = NULL;
}
- if (cp->gss_clnt_handle_len > 0) {
+ if (cp->gss_clnt_handle_len > 0 && cp->gss_clnt_handle_len < GSS_MAX_CTX_HANDLE_LEN) {
MALLOC(cp->gss_clnt_handle, u_char *, cp->gss_clnt_handle_len, M_TEMP, M_WAITOK);
if (cp->gss_clnt_handle == NULL) {
error = ENOMEM;
goto nfsmout;
}
nfsm_chain_get_opaque(error, &nmrep, cp->gss_clnt_handle_len, cp->gss_clnt_handle);
+ } else {
+ error = EBADRPC;
}
nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_major);
nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_minor);
nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_tokenlen);
if (error)
goto nfsmout;
- if (cp->gss_clnt_tokenlen > 0) {
+ if (cp->gss_clnt_tokenlen > 0 && cp->gss_clnt_tokenlen < GSS_MAX_TOKEN_LEN) {
MALLOC(cp->gss_clnt_token, u_char *, cp->gss_clnt_tokenlen, M_TEMP, M_WAITOK);
if (cp->gss_clnt_token == NULL) {
error = ENOMEM;
goto nfsmout;
}
nfsm_chain_get_opaque(error, &nmrep, cp->gss_clnt_tokenlen, cp->gss_clnt_token);
+ } else {
+ error = EBADRPC;
}
/*
goto nfsmout;
if (flavor != RPCSEC_GSS || cksum.length > KRB5_MAX_MIC_SIZE)
error = NFSERR_AUTHERR | AUTH_BADVERF;
- MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
- nfsm_chain_get_opaque(error, nmc, cksum.length, cksum.value);
+ else {
+ MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
+ nfsm_chain_get_opaque(error, nmc, cksum.length, cksum.value);
+ }
if (error)
goto nfsmout;
nmc_tmp = *nmc;
nfsm_chain_adv(error, &nmc_tmp, arglen);
nfsm_chain_get_32(error, &nmc_tmp, cksum.length);
- MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
+ cksum.value = NULL;
+ if (cksum.length > 0 && cksum.length < GSS_MAX_MIC_LEN)
+ MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
if (cksum.value == NULL) {
error = EBADRPC;
case RPCSEC_GSS_CONTINUE_INIT:
/* Get the token from the request */
nfsm_chain_get_32(error, nmreq, cp->gss_svc_tokenlen);
- if (cp->gss_svc_tokenlen == 0) {
- autherr = RPCSEC_GSS_CREDPROBLEM;
- break;
- }
- MALLOC(cp->gss_svc_token, u_char *, cp->gss_svc_tokenlen, M_TEMP, M_WAITOK);
+ cp->gss_svc_token = NULL;
+ if (cp->gss_svc_tokenlen > 0 && cp->gss_svc_tokenlen < GSS_MAX_TOKEN_LEN)
+ MALLOC(cp->gss_svc_token, u_char *, cp->gss_svc_tokenlen, M_TEMP, M_WAITOK);
if (cp->gss_svc_token == NULL) {
autherr = RPCSEC_GSS_CREDPROBLEM;
break;