mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't overflow, and that we don't memcmp() past the end of the buffer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
ba60f64752
commit
841b6ddcf2
@ -3,7 +3,6 @@
|
||||
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
|
||||
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
|
||||
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
|
||||
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none
|
||||
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
|
||||
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
|
||||
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none
|
||||
|
@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str,
|
||||
|
||||
if (mech_len != mech->length)
|
||||
return GSS_S_BAD_MECH;
|
||||
if (mech_len > total_len)
|
||||
return GSS_S_BAD_MECH;
|
||||
if (p - *str > total_len - mech_len)
|
||||
return GSS_S_BAD_MECH;
|
||||
if (ct_memcmp(p,
|
||||
mech->elements,
|
||||
mech->length) != 0)
|
||||
|
Loading…
Reference in New Issue
Block a user