samba/backport-0010-CVE-2022-3437.patch

From 77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 10 Oct 2022 20:33:09 +1300
Subject: [PATCH 14/15] CVE-2022-3437 source4/heimdal: Check for overflow in
 _gsskrb5_get_mech()

If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
 selftest/knownfail.d/heimdal-des-overflow     | 1 -
 source4/heimdal/lib/gssapi/krb5/decapsulate.c | 2 ++
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
index 94a49bbee7f..a7416dc61d9 100644
--- a/selftest/knownfail.d/heimdal-des-overflow
+++ b/selftest/knownfail.d/heimdal-des-overflow
@@ -1,3 +1,2 @@
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
index 031a621eabc..d7b75a64222 100644
--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
     e = der_get_length (p, total_len - 1, &len, &len_len);
     if (e || 1 + len_len + len != total_len)
 	return -1;
+    if (total_len < 1 + len_len + 1)
+	return -1;
     p += len_len;
     if (*p++ != 0x06)
 	return -1;
-- 
2.25.1
fix CVE-2022-3437 2022-10-26 08:36:58 +00:00			`From 77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985 Mon Sep 17 00:00:00 2001`
			`From: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Date: Mon, 10 Oct 2022 20:33:09 +1300`
			`Subject: [PATCH 14/15] CVE-2022-3437 source4/heimdal: Check for overflow in`
			`_gsskrb5_get_mech()`

			`If len_len is equal to total_len - 1 (i.e. the input consists only of a`
			`0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',`
			`used as the 'len' parameter to der_get_length(), will overflow to`
			`SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,`
			`whatever data follows in memory. Add a check to ensure that doesn't`
			`happen.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134`

			`Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`

			`Conflict: NA`
			`Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch`
			`---`
			`selftest/knownfail.d/heimdal-des-overflow \| 1 -`
			`source4/heimdal/lib/gssapi/krb5/decapsulate.c \| 2 ++`
			`2 files changed, 2 insertions(+), 1 deletion(-)`

			`diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow`
			`index 94a49bbee7f..a7416dc61d9 100644`
			`--- a/selftest/knownfail.d/heimdal-des-overflow`
			`+++ b/selftest/knownfail.d/heimdal-des-overflow`
			`@@ -1,3 +1,2 @@`
			`-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none`
			`^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none`
			`^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none`
			`diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c`
			`index 031a621eabc..d7b75a64222 100644`
			`--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c`
			`+++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c`
			`@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,`
			`e = der_get_length (p, total_len - 1, &len, &len_len);`
			`if (e \|\| 1 + len_len + len != total_len)`
			`return -1;`
			`+ if (total_len < 1 + len_len + 1)`
			`+ return -1;`
			`p += len_len;`
			`if (*p++ != 0x06)`
			`return -1;`
			`--`
			`2.25.1`