blob: d6ea22e3df8416ffcc18b67a31c383678b777fde (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 414b2a77fd61c26d64562e3800dc5578d9d0f15d Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 15 Aug 2022 16:53:55 +1200
Subject: [PATCH] gsskrb5: CVE-2022-3437 Check the result of
_gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d]
CVE: CVE-2022-3437
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
lib/gssapi/krb5/decapsulate.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
index 4e3fcd659e..031a621eab 100644
--- a/lib/gssapi/krb5/decapsulate.c
+++ b/lib/gssapi/krb5/decapsulate.c
@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str,
if (mech_len != mech->length)
return GSS_S_BAD_MECH;
+ if (mech_len > total_len)
+ return GSS_S_BAD_MECH;
+ if (p - *str > total_len - mech_len)
+ return GSS_S_BAD_MECH;
if (ct_memcmp(p,
mech->elements,
mech->length) != 0)
|