From eeead1cfe7c5e967237f09eb9b7f9a18dd4fc8c4 Mon Sep 17 00:00:00 2001 From: Tony Finch Date: Thu, 10 Mar 2022 13:04:08 +0000 Subject: [PATCH] Remove a redundant variable-length array In the GSS-TSIG verification code there was an alarming variable-length array whose size came off the network, from the signature in the request. It turned out to be safe, because the caller had previously checked that the signature had a reasonable size. However, the safety checks are in the generic TSIG implementation, and the risky VLA usage was in the GSS-specific code, and they are separated by the DST indirection layer, so it wasn't immediately obvious that the risky VLA was in fact safe. In fact this risky VLA was completely unnecessary, because the GSS signature can be verified in place without being copied to the stack, like the message covered by the signature. The `REGION_TO_GBUFFER()` macro backwardly assigns the region in its left argument to the GSS buffer in its right argument; this is just a pointer and length conversion, without copying any data. The `gss_verify_mic()` call uses both message and signature GSS buffers in a read-only manner. --- lib/dns/gssapi_link.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c index b04bfd813a..a3fbb6e7e1 100644 --- a/lib/dns/gssapi_link.c +++ b/lib/dns/gssapi_link.c @@ -189,11 +189,10 @@ gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) { static isc_result_t gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) { dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx; - isc_region_t message, r; + isc_region_t message; gss_buffer_desc gmessage, gsig; OM_uint32 minor, gret; gss_ctx_id_t gssctx = dctx->key->keydata.gssctx; - unsigned char buf[sig->length]; char err[1024]; /* @@ -202,11 +201,7 @@ gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) { */ isc_buffer_usedregion(ctx->buffer, &message); REGION_TO_GBUFFER(message, gmessage); - - memmove(buf, sig->base, sig->length); - r.base = buf; - r.length = sig->length; - REGION_TO_GBUFFER(r, gsig); + REGION_TO_GBUFFER(*sig, gsig); /* * Verify the data.