diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-08-15 16:53:55 +1200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-10-24 07:27:37 +0200 |
commit | de77f0159873fb0c569c02cee5aa492af8e3f461 (patch) | |
tree | d869a59f47c9b3384f81c725409f9da4ad88cf73 | |
parent | e1c2e2836efaa895d817b5611bf908284c3d415d (diff) | |
download | samba-de77f0159873fb0c569c02cee5aa492af8e3f461.tar.gz |
CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | selftest/knownfail.d/heimdal-des-overflow | 1 | ||||
-rw-r--r-- | third_party/heimdal/lib/gssapi/krb5/decapsulate.c | 4 |
2 files changed, 4 insertions, 1 deletions
diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow index 23acbb43d31..68b304530db 100644 --- a/selftest/knownfail.d/heimdal-des-overflow +++ b/selftest/knownfail.d/heimdal-des-overflow @@ -3,7 +3,6 @@ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none -^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none diff --git a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c index 4e3fcd659e9..031a621eabc 100644 --- a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c +++ b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c @@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str, if (mech_len != mech->length) return GSS_S_BAD_MECH; + if (mech_len > total_len) + return GSS_S_BAD_MECH; + if (p - *str > total_len - mech_len) + return GSS_S_BAD_MECH; if (ct_memcmp(p, mech->elements, mech->length) != 0) |