CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()

We should make sure that the result of 'total_len - mech_len' won't overflow, and that we don't memcmp() past the end of the buffer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2022-08-15 16:53:55 +1200
committer: Jule Anger <janger@samba.org> 2022-10-25 10:31:34 +0000
commit: 841b6ddcf2a80c085ed6159ec9d420f37ceb691e (patch)
tree: df09199ffe1374ecca9c512db90ef9dfb6dd5068 /third_party
parent: ba60f647524ec12b3b5901680c5922d6b2490420 (diff)
download: samba-841b6ddcf2a80c085ed6159ec9d420f37ceb691e.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c
index 4e3fcd659e9..031a621eabc 100644
--- a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str,
 
     if (mech_len != mech->length)
 	return GSS_S_BAD_MECH;
+    if (mech_len > total_len)
+	return GSS_S_BAD_MECH;
+    if (p - *str > total_len - mech_len)
+	return GSS_S_BAD_MECH;
     if (ct_memcmp(p,
 		  mech->elements,
 		  mech->length) != 0)
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2022-08-15 16:53:55 +1200
committer	Jule Anger <janger@samba.org>	2022-10-25 10:31:34 +0000
commit	841b6ddcf2a80c085ed6159ec9d420f37ceb691e (patch)
tree	df09199ffe1374ecca9c512db90ef9dfb6dd5068 /third_party
parent	ba60f647524ec12b3b5901680c5922d6b2490420 (diff)
download	samba-841b6ddcf2a80c085ed6159ec9d420f37ceb691e.tar.gz