diff options
Diffstat (limited to 'meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch')
-rw-r--r-- | meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch new file mode 100644 index 0000000000..4e750f0dc6 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch @@ -0,0 +1,57 @@ +From c758910eaad3c0de2cfb68830a661c4739675a7d Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Mon, 15 Aug 2022 16:53:45 +1200 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Avoid undefined behaviour in + _gssapi_verify_pad() + +By decrementing 'pad' only when we know it's safe, we ensure we can't +stray backwards past the start of a buffer, which would be undefined +behaviour. + +In the previous version of the loop, 'i' is the number of bytes left to +check, and 'pad' is the current byte we're checking. 'pad' was +decremented at the end of each loop iteration. If 'i' was 1 (so we +checked the final byte), 'pad' could potentially be pointing to the +first byte of the input buffer, and the decrement would put it one +byte behind the buffer. + +That would be undefined behaviour. + +The patch changes it so that 'pad' is the byte we previously checked, +which allows us to ensure that we only decrement it when we know we +have a byte to check. + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/decapsulate.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c +index 86085f5695..4e3fcd659e 100644 +--- a/lib/gssapi/krb5/decapsulate.c ++++ b/lib/gssapi/krb5/decapsulate.c +@@ -193,13 +193,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token, + if (wrapped_token->length < 1) + return GSS_S_BAD_MECH; + +- pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; +- padlength = *pad; ++ pad = (u_char *)wrapped_token->value + wrapped_token->length; ++ padlength = pad[-1]; + + if (padlength > datalen) + return GSS_S_BAD_MECH; + +- for (i = padlength; i > 0 && *pad == padlength; i--, pad--) ++ for (i = padlength; i > 0 && *--pad == padlength; i--) + ; + if (i != 0) + return GSS_S_BAD_MIC; |