| commit | 22749e918fcf29fd29d2ea05d10d78226c6a5b36 | |
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | |
| Mon, 10 Oct 2022 07:33:09 +0000 (10 20:33 +1300) | ||
| committer | Nicolas Williams <nico@twosigma.com> | |
| Tue, 15 Nov 2022 23:51:45 +0000 (15 17:51 -0600) | ||
| tree | 8fd4d8da41ef3b516e8dc134d66539ce0e635270 | treesnapshot (tar.gz zip) |
| parent | 6a48779651a6b3b94358dbb6aee2b8a26f629db3 | commitdiff |
gsskrb5: CVE-2022-3437 Check for overflow in _gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| lib/gssapi/krb5/decapsulate.c | diffblobblamehistory |