diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-05-25 20:00:55 +1200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-27 10:52:36 +0000 |
commit | 09e54a7b1d18f2fdb3ebe47dadcea12c52bd8810 (patch) | |
tree | 59d685d6c8939443a5943210477ccdc32d04e5f7 /source4 | |
parent | be239c716874aadea7591fbe06652c449a350c3a (diff) | |
download | samba-09e54a7b1d18f2fdb3ebe47dadcea12c52bd8810.tar.gz |
CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
We would only compare the first 'n' characters, where 'n' is the length
of the principal component string, so 'k@REALM' would erroneously be
considered equal to 'krbtgt@REALM'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/kdc/db-glue.c | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 68eab93c680..024073eb5bd 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -870,15 +870,19 @@ static int principal_comp_strcmp_int(krb5_context context, bool do_strcasecmp) { const char *p; - size_t len; #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) p = krb5_principal_get_comp_string(context, principal, component); if (p == NULL) { return -1; } - len = strlen(p); + if (do_strcasecmp) { + return strcasecmp(p, string); + } else { + return strcmp(p, string); + } #else + size_t len; krb5_data *d; if (component >= krb5_princ_size(context, principal)) { return -1; @@ -890,13 +894,26 @@ static int principal_comp_strcmp_int(krb5_context context, } p = d->data; - len = d->length; -#endif + + len = strlen(string); + + /* + * We explicitly return -1 or 1. Subtracting of the two lengths might + * give the wrong result if the result overflows or loses data when + * narrowed to int. + */ + if (d->length < len) { + return -1; + } else if (d->length > len) { + return 1; + } + if (do_strcasecmp) { return strncasecmp(p, string, len); } else { - return strncmp(p, string, len); + return memcmp(p, string, len); } +#endif } static int principal_comp_strcasecmp(krb5_context context, |