From owner-svn-src-all@FreeBSD.ORG Tue Apr 30 18:06:44 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2E56EF9; Tue, 30 Apr 2013 18:06:44 +0000 (UTC) (envelope-from gnn@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 03E161173; Tue, 30 Apr 2013 18:06:44 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3UI6hPL040799; Tue, 30 Apr 2013 18:06:43 GMT (envelope-from gnn@svn.freebsd.org) Received: (from gnn@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3UI6hNY040798; Tue, 30 Apr 2013 18:06:43 GMT (envelope-from gnn@svn.freebsd.org) Message-Id: <201304301806.r3UI6hNY040798@svn.freebsd.org> From: "George V. Neville-Neil" Date: Tue, 30 Apr 2013 18:06:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r250111 - stable/9/sys/rpc/rpcsec_gss X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2013 18:06:44 -0000 Author: gnn Date: Tue Apr 30 18:06:43 2013 New Revision: 250111 URL: http://svnweb.freebsd.org/changeset/base/250111 Log: Improve error handling when unwrapping received data. Submitted by: Rick Macklem Modified: stable/9/sys/rpc/rpcsec_gss/rpcsec_gss_prot.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/amd64/include/xen/ (props changed) stable/9/sys/boot/ (props changed) stable/9/sys/boot/i386/efi/ (props changed) stable/9/sys/boot/ia64/efi/ (props changed) stable/9/sys/boot/ia64/ski/ (props changed) stable/9/sys/boot/powerpc/boot1.chrp/ (props changed) stable/9/sys/boot/powerpc/ofw/ (props changed) stable/9/sys/cddl/contrib/opensolaris/ (props changed) stable/9/sys/conf/ (props changed) stable/9/sys/contrib/dev/acpica/ (props changed) stable/9/sys/contrib/octeon-sdk/ (props changed) stable/9/sys/contrib/pf/ (props changed) stable/9/sys/contrib/x86emu/ (props changed) stable/9/sys/dev/ (props changed) stable/9/sys/dev/e1000/ (props changed) stable/9/sys/dev/isp/ (props changed) stable/9/sys/dev/ixgbe/ (props changed) stable/9/sys/dev/puc/ (props changed) stable/9/sys/fs/ (props changed) stable/9/sys/fs/ntfs/ (props changed) stable/9/sys/modules/ (props changed) stable/9/sys/net/ (props changed) stable/9/sys/sys/ (props changed) Modified: stable/9/sys/rpc/rpcsec_gss/rpcsec_gss_prot.c ============================================================================== --- stable/9/sys/rpc/rpcsec_gss/rpcsec_gss_prot.c Tue Apr 30 16:59:25 2013 (r250110) +++ stable/9/sys/rpc/rpcsec_gss/rpcsec_gss_prot.c Tue Apr 30 18:06:43 2013 (r250111) @@ -208,6 +208,8 @@ m_trim(struct mbuf *m, int len) struct mbuf *n; int off; + if (m == NULL) + return; n = m_getptr(m, len, &off); if (n) { n->m_len = off; @@ -251,10 +253,19 @@ xdr_rpc_gss_unwrap_data(struct mbuf **re * Extract the MIC and make it contiguous. */ cklen = get_uint32(&results); + if (!results) { + m_freem(message); + return (FALSE); + } KASSERT(cklen <= MHLEN, ("unexpected large GSS-API checksum")); mic = results; - if (cklen > mic->m_len) + if (cklen > mic->m_len) { mic = m_pullup(mic, cklen); + if (!mic) { + m_freem(message); + return (FALSE); + } + } if (cklen != RNDUP(cklen)) m_trim(mic, cklen); @@ -272,6 +283,8 @@ xdr_rpc_gss_unwrap_data(struct mbuf **re } else if (svc == rpc_gss_svc_privacy) { /* Decode databody_priv. */ len = get_uint32(&results); + if (!results) + return (FALSE); /* Decrypt databody. */ message = results; @@ -294,6 +307,8 @@ xdr_rpc_gss_unwrap_data(struct mbuf **re /* Decode rpc_gss_data_t (sequence number + arguments). */ seq_num = get_uint32(&message); + if (!message) + return (FALSE); /* Verify sequence number. */ if (seq_num != seq) {