Blame CVE-2007-3999-2.patch
|
|
718cb55 |
*** src/lib/rpc/svc_auth_gss.c (revision 20474)
|
|
|
718cb55 |
--- src/lib/rpc/svc_auth_gss.c (local)
|
|
|
718cb55 |
***************
|
|
|
718cb55 |
*** 355,360 ****
|
|
|
718cb55 |
--- 355,369 ----
|
|
|
718cb55 |
memset(rpchdr, 0, sizeof(rpchdr));
|
|
|
718cb55 |
|
|
|
718cb55 |
/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
|
|
|
718cb55 |
+ oa = &msg->rm_call.cb_cred;
|
|
|
718cb55 |
+ if (oa->oa_length > MAX_AUTH_BYTES)
|
|
|
718cb55 |
+ return (FALSE);
|
|
|
718cb55 |
+
|
|
|
718cb55 |
+ /* 8 XDR units from the IXDR macro calls. */
|
|
|
718cb55 |
+ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
|
|
|
718cb55 |
+ RNDUP(oa->oa_length)))
|
|
|
718cb55 |
+ return (FALSE);
|
|
|
718cb55 |
+
|
|
|
718cb55 |
buf = (int32_t *)(void *)rpchdr;
|
|
|
718cb55 |
IXDR_PUT_LONG(buf, msg->rm_xid);
|
|
|
718cb55 |
IXDR_PUT_ENUM(buf, msg->rm_direction);
|
|
|
718cb55 |
***************
|
|
|
718cb55 |
*** 362,368 ****
|
|
|
718cb55 |
IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
|
|
|
718cb55 |
IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
|
|
|
718cb55 |
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
|
|
|
718cb55 |
- oa = &msg->rm_call.cb_cred;
|
|
|
718cb55 |
IXDR_PUT_ENUM(buf, oa->oa_flavor);
|
|
|
718cb55 |
IXDR_PUT_LONG(buf, oa->oa_length);
|
|
|
718cb55 |
if (oa->oa_length) {
|
|
|
718cb55 |
--- 371,376 ----
|