sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-11 16:58:40 +03:00
Code

CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components

Browse Source 
We would only compare the first 'n' characters, where 'n' is the length
of the principal component string, so 'k@REALM' would erroneously be
considered equal to 'krbtgt@REALM'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Joseph Sutton 2022-05-25 20:00:55 +12:00 committed by Jule Anger
parent 389851bcf3
commit d40593be83
3 changed files with 22 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
selftest/knownfail_heimdal_kdc
View File

@ -278,7 +278,3 @@
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc
#
# AS-REQ tests
#
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\(

4
selftest/knownfail_mit_kdc
View File

@ -583,7 +583,3 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc
#
# AS-REQ tests
#
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\(

27
source4/kdc/db-glue.c
View File

@ -769,15 +769,19 @@ static int principal_comp_strcmp_int(krb5_context context,
bool do_strcasecmp)
{
const char *p;
size_t len;
#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING)
p = krb5_principal_get_comp_string(context, principal, component);
if (p == NULL) {
return -1;
}
len = strlen(p);
if (do_strcasecmp) {
return strcasecmp(p, string);
} else {
return strcmp(p, string);
}
#else
size_t len;
krb5_data *d;
if (component >= krb5_princ_size(context, principal)) {
return -1;
@ -789,13 +793,26 @@ static int principal_comp_strcmp_int(krb5_context context,
}
p = d->data;
len = d->length;
#endif
len = strlen(string);
/*
* We explicitly return -1 or 1. Subtracting of the two lengths might
* give the wrong result if the result overflows or loses data when
* narrowed to int.
*/
if (d->length < len) {
return -1;
} else if (d->length > len) {
return 1;
}
if (do_strcasecmp) {
return strncasecmp(p, string, len);
} else {
return strncmp(p, string, len);
return memcmp(p, string, len);
}
#endif
}
static int principal_comp_strcasecmp(krb5_context context,