Page MenuHomeFreeBSD
Differential D52964

sys/rpc: UNIX auth: Fix OOB reads on too short message
AcceptedPublic
Actions

Authored by olce on Tue, Oct 7, 5:14 PM.
Tags
None
Referenced Files
F132026678: D52964.diff
Mon, Oct 13, 1:42 AM
F132026644: D52964.diff
Mon, Oct 13, 1:41 AM
Unknown Object (File)
Sun, Oct 12, 11:38 PM
Unknown Object (File)
Sun, Oct 12, 11:38 PM
Unknown Object (File)
Sun, Oct 12, 12:10 PM
Unknown Object (File)
Wed, Oct 8, 12:53 PM
Unknown Object (File)
Wed, Oct 8, 8:13 AM
Unknown Object (File)
Wed, Oct 8, 7:10 AM
View All 10 Files
Subscribers
emaste
imp

Details

Reviewers
rmacklem
dfr
Summary

In the inline version (_svcauth_unix()), fix multiple possible OOB reads
when the credentials part of a request is too short to contain mandatory
fields or with respect to the hostname length or number of groups it
advertises. The previously existing check was arriving too late and
relied on possibly wrong data coming from earlier OOB reads.

While here, use 'u_int' as the length/size type, as it is more than
enough and removes the need for conversions. While here, factor out
setting 'stat' to AUTH_BADCRED and then jumping to 'done' on error,
through the new 'badcred' label. While here, through comments, refer to
what the non-inline version is doing (xdr_authunix_parms() in
'authunix_prot.c') and the reasons.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 67622
Build 64505: arc lint + arc unit

Event Timeline

olce created this revision.Tue, Oct 7, 5:14 PM
Herald added a subscriber: imp. · View Herald TranscriptTue, Oct 7, 5:14 PM
olce requested review of this revision.Tue, Oct 7, 5:14 PM
Harbormaster completed remote builds in B67622: Diff 163715.Tue, Oct 7, 5:14 PM
olce added a parent revision: D52963: sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (2/2).Tue, Oct 7, 5:24 PM
olce added a reviewer: dfr.
olce mentioned this in D52263: krpc: UNIX auth: Prevent DoS, fix various OOB accesses.Tue, Oct 7, 5:26 PM
rmacklem accepted this revision.Wed, Oct 8, 2:03 PM

Looks fine to me. Feel free to ignore the minor comments.

sys/rpc/svc_auth_unix.c
64

Since you are fixing the type, you might want
to use uint32_t, just in case u_int becomes 64bits
for some arch someday.

But, this is a minor nit. Use whichever type you'd like.

136

I end to use MIN() instead of min() so that
it works for all integer types, but using min()
here should be fine.

This revision is now accepted and ready to land.Wed, Oct 8, 2:03 PM
olce marked 2 inline comments as done.Mon, Oct 13, 1:16 PM
olce added inline comments.
sys/rpc/svc_auth_unix.c
136

Yes. See my more detailed answer in D52960.

olce marked an inline comment as done.Mon, Oct 13, 3:10 PM

Revision Contents
Changeset List

PathSize
sys/
rpc/
100 lines

Diff 163715

View Options

sys/rpc/svc_auth_unix.c

Loading...