From: David Howells <dhowe...@redhat.com> Date: Thu, 15 Jun 2017 00:12:24 +0100
> This fixes CVE-2017-7482. > > When a kerberos 5 ticket is being decoded so that it can be loaded into an > rxrpc-type key, there are several places in which the length of a > variable-length field is checked to make sure that it's not going to > overrun the available data - but the data is padded to the nearest > four-byte boundary and the code doesn't check for this extra. This could > lead to the size-remaining variable wrapping and the data pointer going > over the end of the buffer. > > Fix this by making the various variable-length data checks use the padded > length. > > Reported-by: 石磊 <shile...@360.cn> > Signed-off-by: David Howells <dhowe...@redhat.com> > Reviewed-by: Marc Dionne <marc.c.dio...@auristor.com> > Reviewed-by: Dan Carpenter <dan.carpen...@oracle.com> Applied, thanks David.
