diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-10-12 13:57:33 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-10-25 10:31:34 +0000 |
commit | 2671f995fed735bb03d9efd55d6603b35141ff38 (patch) | |
tree | 781b3478dae56407e0386f0454bffd5cbbb37311 /third_party/heimdal | |
parent | d12bd2cd50b45e064e5bea5a99c826ef156b4e64 (diff) | |
download | samba-2671f995fed735bb03d9efd55d6603b35141ff38.tar.gz |
CVE-2022-3437 third_party/heimdal: Pass correct length to _gssapi_verify_pad()
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.
Now we properly constrain the value of padlength so underflow shouldn't
be possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'third_party/heimdal')
-rw-r--r-- | third_party/heimdal/lib/gssapi/krb5/unwrap.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/third_party/heimdal/lib/gssapi/krb5/unwrap.c b/third_party/heimdal/lib/gssapi/krb5/unwrap.c index 493165bcfab..64613698fa4 100644 --- a/third_party/heimdal/lib/gssapi/krb5/unwrap.c +++ b/third_party/heimdal/lib/gssapi/krb5/unwrap.c @@ -124,7 +124,7 @@ unwrap_des } else { /* check pad */ ret = _gssapi_verify_pad(input_message_buffer, - input_message_buffer->length - len, + input_message_buffer->length - len - 8, &padlength); if (ret) return ret; @@ -292,7 +292,7 @@ unwrap_des3 } else { /* check pad */ ret = _gssapi_verify_pad(input_message_buffer, - input_message_buffer->length - len, + input_message_buffer->length - len - 8, &padlength); if (ret) return ret; |