rpms/krb5/F-9 krb5-CVE-2009-0847.patch,NONE,1.1

Nalin Dahyabhai nalin at fedoraproject.org
Tue Apr 7 18:15:43 UTC 2009 

Author: nalin

Update of /cvs/extras/rpms/krb5/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14233/F-9

Added Files:
	krb5-CVE-2009-0847.patch 
Log Message:
- add patch to fix length validation bug in libkrb5 (CVE-2009-0847)


krb5-CVE-2009-0847.patch:

--- NEW FILE krb5-CVE-2009-0847.patch ---
diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
index 8baac24..587cccc 100644
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code)
 
 asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
 {
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
   subbuf->base = subbuf->next = buf->next;
   if (!indef) {
+      if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
       subbuf->bound = subbuf->base + length - 1;
-      if (subbuf->bound > buf->bound)
-	  return ASN1_OVERRUN;
   } else /* constructed indefinite */
       subbuf->bound = buf->bound;
   return 0;
@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len,
 {
   int i;
 
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
       *s = 0;
@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len,
 {
   int i;
 
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
       *s = 0;

More information about the fedora-extras-commits mailing list