Re: [Bug] invalid mem access in lib/gssapi/client.c

[Simon Josefsson]

tbc TobeContinued <tbc.dengwenqi@gmail.com> writes:

> Hi, all
>   I found an invalid mem access bug in lib/gssapi/client.c. Herer is the 
> patch. Hope it helpful for the project.

Thank you, and sorry for the delay in answering this.  May I ask how you
found this?  GSSAPI data encode/decode functionality is rarely used and
sometimes having this enabled may suggest there is a bug or suboptimal
behaviour elsewhere.  Is some real-world application triggering this, or
can you give any more information on how you discovered it?

Anyway, I have fixed it now, here:
https://git.savannah.gnu.org/cgit/gsasl.git/commit/?id=f95d18eeb0713df45f9a78ec837e4c1603ceffcf

/Simon

> diff --git a/lib/gssapi/client.c b/lib/gssapi/client.c
> index f46d65ac..cd4ccc01 100644
> --- a/lib/gssapi/client.c
> +++ b/lib/gssapi/client.c
> @@ -299,7 +299,7 @@ _gsasl_gssapi_client_encode (Gsasl_session * sctx,
>        if (GSS_ERROR (maj_stat))
>         return GSASL_GSSAPI_WRAP_ERROR;
>        *output_len = output_message_buffer.length;
> -      *output = malloc (input_len);
> +      *output = malloc (output_message_buffer.length);
>        if (!*output)
>         {
>           maj_stat = gss_release_buffer (&min_stat, &output_message_buffer);
> @@ -352,7 +352,7 @@ _gsasl_gssapi_client_decode (Gsasl_session * sctx,
>        if (GSS_ERROR (maj_stat))
>         return GSASL_GSSAPI_UNWRAP_ERROR;
>        *output_len = output_message_buffer.length;
> -      *output = malloc (input_len);
> +      *output = malloc (output_message_buffer.length);
>        if (!*output)
>         {
>           maj_stat = gss_release_buffer (&min_stat, &output_message_buffer);
>
>
> Best regards,
> Deng, Wenqi

signature.asc
Description: PGP signature