| commit | 77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985 | |
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | |
| Mon, 10 Oct 2022 07:33:09 +0000 (10 20:33 +1300) | ||
| committer | Jule Anger <janger@samba.org> | |
| Mon, 24 Oct 2022 05:27:02 +0000 (24 07:27 +0200) | ||
| tree | 876dc9808bf674ec6b8cd40feaf3ec1b8ce6094d | treesnapshot (tar.gz zip) |
| parent | 1aca34515515f2cb00fbf5ad8b9212b319f01836 | commitdiff |
CVE-2022-3437 source4/heimdal: Check for overflow in _gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| selftest/knownfail.d/heimdal-des-overflow | diffblobblamehistory | |
| source4/heimdal/lib/gssapi/krb5/decapsulate.c | diffblobblamehistory |