[OpenAFS-devel] Re: [OpenAFS] Is OpenAFS vulnerable to CA-2003-10 ?

Jim Rees rees@umich.edu
Fri, 21 Mar 2003 12:03:43 -0500 

Ok, here's a patch.  This compiles for me but I can't test it.  Anyone want
to test?  Should I commit this?

This is based on the MIT kerberos patch.

Index: xdr_mem.c
===================================================================
RCS file: /cvs/openafs/src/rx/xdr_mem.c,v
retrieving revision 1.5
diff -u -r1.5 xdr_mem.c
--- xdr_mem.c	21 Aug 2002 18:13:51 -0000	1.5
+++ xdr_mem.c	21 Mar 2003 17:01:44 -0000
@@ -78,7 +78,7 @@
 	xdrs->x_op = op;
 	xdrs->x_ops = &xdrmem_ops;
 	xdrs->x_private = xdrs->x_base = addr;
-	xdrs->x_handy = size;
+	xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */
 }
 
 static void xdrmem_destroy(void)
@@ -87,8 +87,10 @@
 
 static bool_t xdrmem_getint32(register XDR *xdrs, afs_int32 *lp)
 {
-	if ((xdrs->x_handy -= sizeof(afs_int32)) < 0)
+	if (xdrs->x_handy -= sizeof(afs_int32))
 		return (FALSE);
+	else
+		xdrs->x_handy -= sizeof(afs_int32);
 	*lp = ntohl(*((afs_int32 *)(xdrs->x_private)));
 	xdrs->x_private += sizeof(afs_int32);
 	return (TRUE);
@@ -96,8 +98,10 @@
 
 static bool_t xdrmem_putint32(register XDR *xdrs, afs_int32 *lp)
 {
-	if ((xdrs->x_handy -= sizeof(afs_int32)) < 0)
+	if (xdrs->x_handy -= sizeof(afs_int32))
 		return (FALSE);
+	else
+		xdrs->x_handy -= sizeof(afs_int32);
 	*(afs_int32 *)xdrs->x_private = htonl(*lp);
 	xdrs->x_private += sizeof(afs_int32);
 	return (TRUE);
@@ -105,8 +109,10 @@
 
 static bool_t xdrmem_getbytes(register XDR *xdrs, caddr_t addr, register u_int len)
 {
-	if ((xdrs->x_handy -= len) < 0)
+	if (xdrs->x_handy < len)
 		return (FALSE);
+	else
+		xdrs->x_handy -= len;
 	memcpy(addr, xdrs->x_private, len);
 	xdrs->x_private += len;
 	return (TRUE);
@@ -114,8 +120,10 @@
 
 static bool_t xdrmem_putbytes(register XDR *xdrs, caddr_t addr, register u_int len)
 {
-	if ((xdrs->x_handy -= len) < 0)
+	if (xdrs->x_handy < len)
 		return (FALSE);
+	else
+		xdrs->x_handy -= len;
 	memcpy(xdrs->x_private, addr, len);
 	xdrs->x_private += len;
 	return (TRUE);
@@ -142,7 +150,7 @@
 {
 	afs_int32 *buf = 0;
 
-	if (xdrs->x_handy >= len) {
+	if (len >= 0 && xdrs->x_handy >= len) {
 		xdrs->x_handy -= len;
 		buf = (afs_int32 *) xdrs->x_private;
 		xdrs->x_private += len;