CVE-2022-3437 third_party/heimdal: Check for overflow in _gsskrb5_get_mech()

If len_len is equal to total_len - 1 (i.e. the input consists only of a 0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', used as the 'len' parameter to der_get_length(), will overflow to SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, whatever data follows in memory. Add a check to ensure that doesn't happen. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2022-10-10 20:33:09 +1300
committer: Jule Anger <janger@samba.org> 2022-10-25 10:31:34 +0000
commit: d12bd2cd50b45e064e5bea5a99c826ef156b4e64 (patch)
tree: fe8cb0388b58c0d44c9d585581e4d5c86e4937d7 /third_party/heimdal
parent: 2d0ad4ede7b391af3f38cd3664dc04c7ceea76e8 (diff)
download: samba-d12bd2cd50b45e064e5bea5a99c826ef156b4e64.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c
index 031a621eabc..d7b75a64222 100644
--- a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
     e = der_get_length (p, total_len - 1, &len, &len_len);
     if (e || 1 + len_len + len != total_len)
 	return -1;
+    if (total_len < 1 + len_len + 1)
+	return -1;
     p += len_len;
     if (*p++ != 0x06)
 	return -1;
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2022-10-10 20:33:09 +1300
committer	Jule Anger <janger@samba.org>	2022-10-25 10:31:34 +0000
commit	d12bd2cd50b45e064e5bea5a99c826ef156b4e64 (patch)
tree	fe8cb0388b58c0d44c9d585581e4d5c86e4937d7 /third_party/heimdal
parent	2d0ad4ede7b391af3f38cd3664dc04c7ceea76e8 (diff)
download	samba-d12bd2cd50b45e064e5bea5a99c826ef156b4e64.tar.gz