diff options
author | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2009-07-28 13:01:41 +0000 |
---|---|---|
committer | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2009-07-28 13:01:41 +0000 |
commit | f8cf2d2c838b8fa318dce0f47a0b79c314c16783 (patch) | |
tree | 7c455fd89194a0abe748be117c6fb2a6ed66d7ea /asn1/spnego | |
parent | e464a9bef912e7ca4cf6dbe2d0004e9a738d940c (diff) |
When we passed the crytobuffer to krb5_c_decrypt() we never actually
verified that we did have enough data in the buffer/tvb, which could
lead to a SEGV.
(for example if we enable KRB5 decryption but we do NOT use TCP
reassembly, and the encrypted data goes beyong the end of the current
segment)
Change the signature to decrypt_krb5_data() to take a TVB instead of a
buffer+length.
Actually check that we do have the entire encrypted PDU before calling
out to the kerberos libraries.
svn path=/trunk/; revision=29213
Diffstat (limited to 'asn1/spnego')
-rw-r--r-- | asn1/spnego/packet-spnego-template.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/asn1/spnego/packet-spnego-template.c b/asn1/spnego/packet-spnego-template.c index c9029979c2..7552cf2c4c 100644 --- a/asn1/spnego/packet-spnego-template.c +++ b/asn1/spnego/packet-spnego-template.c @@ -698,6 +698,7 @@ decrypt_gssapi_krb_cfx_wrap(proto_tree *tree _U_, packet_info *pinfo _U_, tvbuff char *rotated; char *output; int datalen; + tvbuff_t *next_tvb; /* dont do anything if we are not attempting to decrypt data */ if(!krb_decrypt){ @@ -709,8 +710,11 @@ decrypt_gssapi_krb_cfx_wrap(proto_tree *tree _U_, packet_info *pinfo _U_, tvbuff tvb_memcpy(tvb, rotated, 0, tvb_length(tvb)); res = rrc_rotate(rotated, tvb_length(tvb), rrc, TRUE); - output = decrypt_krb5_data(tree, pinfo, usage, tvb_length(tvb), - rotated, keytype, &datalen); + next_tvb=tvb_new_child_real_data(tvb, rotated, tvb_length(tvb), tvb_reported_length(tvb)); + add_new_data_source(pinfo, next_tvb, "GSSAPI CFX"); + + output = decrypt_krb5_data(tree, pinfo, usage, next_tvb, + keytype, &datalen); if (output) { char *outdata; |