diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2000-10-10 10:54:05 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2000-10-10 10:54:05 +0000 |
| commit | e5542ac7603228dfdcda17cfa4f6171a254eb0af (patch) | |
| tree | 030c4faff7011a4d96bc6d4b51c53e125d7c584a | |
| parent | d2fac81bc71709206796116df1187a7dc4292a4d (diff) | |
avoid fd_set overflows, half by bg@sics.se
| -rw-r--r-- | kerberosIV/src/server/kerberos.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/kerberosIV/src/server/kerberos.c b/kerberosIV/src/server/kerberos.c index 9569eadea92..8598e46ee9f 100644 --- a/kerberosIV/src/server/kerberos.c +++ b/kerberosIV/src/server/kerberos.c @@ -9,7 +9,7 @@ #include "config.h" #include "protos.h" -RCSID("$KTH: kerberos.c,v 1.87 1999/11/13 06:35:39 assar Exp $"); +RCSID("$KTH: kerberos.c,v 1.87.2.1 2000/06/23 03:14:04 assar Exp $"); #include <stdio.h> #include <stdlib.h> @@ -298,10 +298,13 @@ kerberos(unsigned char *buf, int len, switch(msg_type){ case AUTH_MSG_KDC_REQUEST: /* XXX range check */ - p += krb_get_nir(p, name, inst, realm); + p += krb_get_nir(p, name, sizeof(name), + inst, sizeof(inst), + realm, sizeof(realm)); p += krb_get_int(p, &req_time, 4, lsb); life = *p++; - p += krb_get_nir(p, service, sinst, NULL); + p += krb_get_nir(p, service, sizeof(service), + sinst, sizeof(sinst), NULL, 0); klog(L_INI_REQ, "AS REQ %s.%s@%s for %s.%s from %s (%s/%u)", name, inst, realm, service, sinst, @@ -377,7 +380,8 @@ kerberos(unsigned char *buf, int len, } p += krb_get_int(p, &req_time, 4, lsb); life = *p++; - p += krb_get_nir(p, service, sinst, NULL); + p += krb_get_nir(p, service, sizeof(service), + sinst, sizeof(sinst), NULL, 0); klog(L_APPL_REQ, "APPL REQ %s.%s@%s for %s.%s from %s (%s/%u)", ad.pname, ad.pinst, ad.prealm, @@ -555,6 +559,10 @@ mksocket(struct descr *d, struct in_addr addr, int type, memset(d, 0, sizeof(struct descr)); if ((sock = socket(AF_INET, type, 0)) < 0) err (1, "socket"); + if (sock >= FD_SETSIZE) { + errno = EMFILE; + errx(1, "aborting: too many descriptors"); + } #if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT) if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)) < 0) @@ -1022,7 +1030,7 @@ loop(struct descr *fds, int nfds) if(accepted) continue; accepted = 1; s = accept(n->s, NULL, 0); - if(minfree == NULL){ + if (minfree == NULL || s >= FD_SETSIZE) { kerb_err_reply(s, NULL, KFAILURE, "Out of memory"); close(s); }else{ |