kpasswdd: Fix out-of-bounds read (#1058)

2023-01-01 19:15:35 -06:00 · 2023-01-01 19:15:35 -06:00 · 1baec53f8d
commit 1baec53f8d
parent 914cd2f31c
1 changed files with 11 additions and 2 deletions
--- a/kpasswd/kpasswdd.c
+++ b/kpasswd/kpasswdd.c
@ -463,18 +463,27 @@ verify (krb5_auth_context *auth_context,
     * either an invalid request or an error packet.  An error packet may be
     * the result of a ping-pong attacker pointing us at another kpasswdd.
     */
+    if (len < 6) {
+	krb5_warnx(context, "Message too short: %llu",
+	    (unsigned long long)len);
+	return 1;
+    }
    pkt_len = (msg[0] << 8) | (msg[1]);
    pkt_ver = (msg[2] << 8) | (msg[3]);
    ap_req_len = (msg[4] << 8) | (msg[5]);
    if (pkt_len != len) {
-	krb5_warnx (context, "Strange len: %ld != %ld",
-		    (long)pkt_len, (long)len);
+	krb5_warnx(context, "Bad packet length: %u != %llu", pkt_len,
+	    (unsigned long long)len);
 	return 1;
    }
    if (ap_req_len == 0) {
 	krb5_warnx (context, "Request is error packet (ap_req_len == 0)");
 	return 1;
    }
+    if (ap_req_len + 6 > len) {
+	krb5_warnx(context, "Bad AP-REQ length: %u", ap_req_len);
+	return 1;
+    }
    if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&
 	pkt_ver != KRB5_KPASSWD_VERS_SETPW) {
 	krb5_warnx (context, "Bad version (%d)", pkt_ver);