oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gsskrb5: CVE-2022-3437 Check for overflow in _gsskrb5_get_mech()

Browse Source 
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.

Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton
2022-10-10 20:33:09 +13:00
committed by Nicolas Williams
parent 6a48779651
commit 22749e918f
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/gssapi/krb5/decapsulate.c
View File

@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
e = der_get_length (p, total_len - 1, &len, &len_len); e = der_get_length (p, total_len - 1, &len, &len_len);
if (e || 1 + len_len + len != total_len) if (e || 1 + len_len + len != total_len)
return -1; return -1;
if (total_len < 1 + len_len + 1)
return -1;
p += len_len; p += len_len;
if (*p++ != 0x06) if (*p++ != 0x06)
return -1; return -1;