gsskrb5: CVE-2022-3437 Check buffer length against overflow for DES{,3} unwrap

Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-08-15 16:54:23 +12:00
parent 4aca82c7d0
commit 6a48779651
1 changed files with 14 additions and 0 deletions
--- a/lib/gssapi/krb5/unwrap.c
+++ b/lib/gssapi/krb5/unwrap.c
@@ -64,6 +64,8 @@ unwrap_des

  if (IS_DCE_STYLE(context_handle)) {
     token_len = 22 + 8 + 15; /* 45 */
+     if (input_message_buffer->length < token_len)
+	  return GSS_S_BAD_MECH;
  } else {
     token_len = input_message_buffer->length;
  }
@@ -76,6 +78,11 @@ unwrap_des
  if (ret)
      return ret;

+  len = (p - (u_char *)input_message_buffer->value)
+      + 22 + 8;
+  if (input_message_buffer->length < len)
+      return GSS_S_BAD_MECH;
+
  if (memcmp (p, "\x00\x00", 2) != 0)
    return GSS_S_BAD_SIG;
  p += 2;
@@ -219,6 +226,8 @@ unwrap_des3

  if (IS_DCE_STYLE(context_handle)) {
     token_len = 34 + 8 + 15; /* 57 */
+     if (input_message_buffer->length < token_len)
+	  return GSS_S_BAD_MECH;
  } else {
     token_len = input_message_buffer->length;
  }
@@ -231,6 +240,11 @@ unwrap_des3
  if (ret)
      return ret;

+  len = (p - (u_char *)input_message_buffer->value)
+      + 34 + 8;
+  if (input_message_buffer->length < len)
+      return GSS_S_BAD_MECH;
+
  if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
    return GSS_S_BAD_SIG;
  p += 2;