sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

CVE-2022-3437 third_party/heimdal: Check buffer length against overflow for DES{,3} unwrap

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2022-08-15 16:54:23 +12:00 committed by Jule Anger
parent de77f01598
commit d16ac1f405
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
selftest/knownfail.d/heimdal-des-overflow
View File

@ -1,8 +1,3 @@
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none

14
third_party/heimdal/lib/gssapi/krb5/unwrap.c vendored
View File

@ -64,6 +64,8 @@ unwrap_des
if (IS_DCE_STYLE(context_handle)) { if (IS_DCE_STYLE(context_handle)) {
token_len = 22 + 8 + 15; /* 45 */ token_len = 22 + 8 + 15; /* 45 */
if (input_message_buffer->length < token_len)
return GSS_S_BAD_MECH;
} else { } else {
token_len = input_message_buffer->length; token_len = input_message_buffer->length;
} }
@ -76,6 +78,11 @@ unwrap_des
if (ret) if (ret)
return ret; return ret;
len = (p - (u_char *)input_message_buffer->value)
+ 22 + 8;
if (input_message_buffer->length < len)
return GSS_S_BAD_MECH;
if (memcmp (p, "\x00\x00", 2) != 0) if (memcmp (p, "\x00\x00", 2) != 0)
return GSS_S_BAD_SIG; return GSS_S_BAD_SIG;
p += 2; p += 2;
@ -219,6 +226,8 @@ unwrap_des3
if (IS_DCE_STYLE(context_handle)) { if (IS_DCE_STYLE(context_handle)) {
token_len = 34 + 8 + 15; /* 57 */ token_len = 34 + 8 + 15; /* 57 */
if (input_message_buffer->length < token_len)
return GSS_S_BAD_MECH;
} else { } else {
token_len = input_message_buffer->length; token_len = input_message_buffer->length;
} }
@ -231,6 +240,11 @@ unwrap_des3
if (ret) if (ret)
return ret; return ret;
len = (p - (u_char *)input_message_buffer->value)
+ 34 + 8;
if (input_message_buffer->length < len)
return GSS_S_BAD_MECH;
if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
return GSS_S_BAD_SIG; return GSS_S_BAD_SIG;
p += 2; p += 2;