diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-08-15 16:53:55 +1200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-10-25 10:31:34 +0000 |
commit | 841b6ddcf2a80c085ed6159ec9d420f37ceb691e (patch) | |
tree | df09199ffe1374ecca9c512db90ef9dfb6dd5068 /third_party | |
parent | ba60f647524ec12b3b5901680c5922d6b2490420 (diff) | |
download | samba-841b6ddcf2a80c085ed6159ec9d420f37ceb691e.tar.gz |
CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'third_party')
-rw-r--r-- | third_party/heimdal/lib/gssapi/krb5/decapsulate.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c index 4e3fcd659e9..031a621eabc 100644 --- a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c +++ b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c @@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str, if (mech_len != mech->length) return GSS_S_BAD_MECH; + if (mech_len > total_len) + return GSS_S_BAD_MECH; + if (p - *str > total_len - mech_len) + return GSS_S_BAD_MECH; if (ct_memcmp(p, mech->elements, mech->length) != 0) |