Files
heimdal/lib/gssapi
Joseph Sutton 22749e918f gsskrb5: CVE-2022-3437 Check for overflow in _gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.

Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-15 17:51:45 -06:00
..
2022-01-30 14:20:05 -05:00
2022-11-01 16:10:57 -05:00
2022-01-14 17:39:05 -06:00
2008-09-13 08:53:55 +00:00
2018-12-18 23:28:38 -06:00
2018-12-14 17:30:14 -05:00
2011-11-22 12:18:48 -08:00
2011-05-21 11:57:31 -07:00
2008-09-13 09:21:03 +00:00
2011-11-22 12:18:48 -08:00
2020-04-25 21:22:32 -05:00
2008-09-13 09:21:03 +00:00
2022-11-01 16:10:57 -05:00