oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gsskrb5: CVE-2022-3437 Don't pass NULL pointers to memcpy() in DES unwrap

Browse Source 
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton
2022-10-12 13:57:42 +13:00
committed by Nicolas Williams
parent e407e0ead6
commit cc9af5194a
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lib/gssapi/krb5/unwrap.c
View File

@@ -183,9 +183,10 @@ unwrap_des
output_message_buffer->value = malloc(output_message_buffer->length); output_message_buffer->value = malloc(output_message_buffer->length);
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
return GSS_S_FAILURE; return GSS_S_FAILURE;
memcpy (output_message_buffer->value, if (output_message_buffer->value != NULL)
p + 24, memcpy (output_message_buffer->value,
output_message_buffer->length); p + 24,
output_message_buffer->length);
return GSS_S_COMPLETE; return GSS_S_COMPLETE;
} }
#endif #endif
@@ -377,9 +378,10 @@ unwrap_des3
output_message_buffer->value = malloc(output_message_buffer->length); output_message_buffer->value = malloc(output_message_buffer->length);
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
return GSS_S_FAILURE; return GSS_S_FAILURE;
memcpy (output_message_buffer->value, if (output_message_buffer->value != NULL)
p + 36, memcpy (output_message_buffer->value,
output_message_buffer->length); p + 36,
output_message_buffer->length);
return GSS_S_COMPLETE; return GSS_S_COMPLETE;
} }