From 315e2cecc11cd755be6e3dd4dc3175182e359e62 Mon Sep 17 00:00:00 2001 From: Jim Norman Date: Wed, 26 Apr 2006 17:03:11 +0000 Subject: [PATCH] Security Audit 5.6: Check length of ssNameLen < 256 before allocating buffer. --- CASA.changes | 5 +++++ c_micasad/verbs/OpenSecretStore.cs | 10 +++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CASA.changes b/CASA.changes index b2502f5c..136fa4bd 100644 --- a/CASA.changes +++ b/CASA.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Apr 26 11:02:00 MST 2006 - jnorman@novell.com +- Security Audit 5.6: Check length of ssNameLen < 256 + before allocating buffer + ------------------------------------------------------------------- Wed Apr 26 10:55:20 MST 2006 - jnorman@novell.com - Security Audit 5.4: Issue Garbage Collect after loading persistence. diff --git a/c_micasad/verbs/OpenSecretStore.cs b/c_micasad/verbs/OpenSecretStore.cs index 53e248d3..01c81565 100644 --- a/c_micasad/verbs/OpenSecretStore.cs +++ b/c_micasad/verbs/OpenSecretStore.cs @@ -49,6 +49,8 @@ namespace sscs.verbs private byte[] outBuf; int retCode = 0; + + private static int MAX_SS_NAME_LEN = 256; /* * This method sets the class member with the byte array received. @@ -80,12 +82,14 @@ namespace sscs.verbs ssVersion = BitConverter.ToUInt32(inBuf,6); ssNameLen = BitConverter.ToUInt32(inBuf,10); - + + if (ssNameLen > MAX_SS_NAME_LEN) + throw new FormatException(" SecretStore Name length exceeds length allowed"); + byte[] tempArr = new byte[ssNameLen]; Array.Copy(inBuf,14,tempArr,0,ssNameLen); - ssName = Encoding.UTF8.GetString(tempArr); + ssName = Encoding.UTF8.GetString(tempArr); - try { SecretStore ss = SessionManager.CreateUserSession(userId);