Re: [OpenAFS-devel] Re: [OpenAFS] Is OpenAFS vulnerable to CA-2003-10 ?

Fri, 21 Mar 2003 09:02:25 -0800 

Ok, here's a patch.  This compiles for me but I can't test it.  Anyone want
to test?  Should I commit this?

This is based on the MIT kerberos patch.

Index: xdr_mem.c
===================================================================
RCS file: /cvs/openafs/src/rx/xdr_mem.c,v
retrieving revision 1.5
diff -u -r1.5 xdr_mem.c
--- xdr_mem.c   21 Aug 2002 18:13:51 -0000      1.5
+++ xdr_mem.c   21 Mar 2003 17:01:44 -0000
@@ -78,7 +78,7 @@
        xdrs->x_op = op;
        xdrs->x_ops = &xdrmem_ops;
        xdrs->x_private = xdrs->x_base = addr;
-       xdrs->x_handy = size;
+       xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */
 }
 
 static void xdrmem_destroy(void)
@@ -87,8 +87,10 @@
 
 static bool_t xdrmem_getint32(register XDR *xdrs, afs_int32 *lp)
 {
-       if ((xdrs->x_handy -= sizeof(afs_int32)) < 0)
+       if (xdrs->x_handy -= sizeof(afs_int32))
                return (FALSE);
+       else
+               xdrs->x_handy -= sizeof(afs_int32);
        *lp = ntohl(*((afs_int32 *)(xdrs->x_private)));
        xdrs->x_private += sizeof(afs_int32);
        return (TRUE);
@@ -96,8 +98,10 @@
 
 static bool_t xdrmem_putint32(register XDR *xdrs, afs_int32 *lp)
 {
-       if ((xdrs->x_handy -= sizeof(afs_int32)) < 0)
+       if (xdrs->x_handy -= sizeof(afs_int32))
                return (FALSE);
+       else
+               xdrs->x_handy -= sizeof(afs_int32);
        *(afs_int32 *)xdrs->x_private = htonl(*lp);
        xdrs->x_private += sizeof(afs_int32);
        return (TRUE);
@@ -105,8 +109,10 @@
 
 static bool_t xdrmem_getbytes(register XDR *xdrs, caddr_t addr, register u_int len)
 {
-       if ((xdrs->x_handy -= len) < 0)
+       if (xdrs->x_handy < len)
                return (FALSE);
+       else
+               xdrs->x_handy -= len;
        memcpy(addr, xdrs->x_private, len);
        xdrs->x_private += len;
        return (TRUE);
@@ -114,8 +120,10 @@
 
 static bool_t xdrmem_putbytes(register XDR *xdrs, caddr_t addr, register u_int len)
 {
-       if ((xdrs->x_handy -= len) < 0)
+       if (xdrs->x_handy < len)
                return (FALSE);
+       else
+               xdrs->x_handy -= len;
        memcpy(xdrs->x_private, addr, len);
        xdrs->x_private += len;
        return (TRUE);
@@ -142,7 +150,7 @@
 {
        afs_int32 *buf = 0;
 
-       if (xdrs->x_handy >= len) {
+       if (len >= 0 && xdrs->x_handy >= len) {
                xdrs->x_handy -= len;
                buf = (afs_int32 *) xdrs->x_private;
                xdrs->x_private += len;
_______________________________________________
OpenAFS-devel mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-devel

Reply via email to