80 lines
3.0 KiB
Diff
80 lines
3.0 KiB
Diff
From 1aca34515515f2cb00fbf5ad8b9212b319f01836 Mon Sep 17 00:00:00 2001
|
|
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Date: Mon, 15 Aug 2022 16:54:23 +1200
|
|
Subject: [PATCH 13/15] CVE-2022-3437 source4/heimdal: Check buffer length
|
|
against overflow for DES{,3} unwrap
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
|
|
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Conflict: NA
|
|
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
|
|
---
|
|
selftest/knownfail.d/heimdal-des-overflow | 5 -----
|
|
source4/heimdal/lib/gssapi/krb5/unwrap.c | 14 ++++++++++++++
|
|
2 files changed, 14 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
|
|
index 68b304530db..94a49bbee7f 100644
|
|
--- a/selftest/knownfail.d/heimdal-des-overflow
|
|
+++ b/selftest/knownfail.d/heimdal-des-overflow
|
|
@@ -1,8 +1,3 @@
|
|
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none
|
|
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none
|
|
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
|
|
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
|
|
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
|
|
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
|
|
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
|
|
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none
|
|
diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
|
|
index 9639091cb3a..70d26a75ccf 100644
|
|
--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
|
|
+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
|
|
@@ -64,6 +64,8 @@ unwrap_des
|
|
|
|
if (IS_DCE_STYLE(context_handle)) {
|
|
token_len = 22 + 8 + 15; /* 45 */
|
|
+ if (input_message_buffer->length < token_len)
|
|
+ return GSS_S_BAD_MECH;
|
|
} else {
|
|
token_len = input_message_buffer->length;
|
|
}
|
|
@@ -76,6 +78,11 @@ unwrap_des
|
|
if (ret)
|
|
return ret;
|
|
|
|
+ len = (p - (u_char *)input_message_buffer->value)
|
|
+ + 22 + 8;
|
|
+ if (input_message_buffer->length < len)
|
|
+ return GSS_S_BAD_MECH;
|
|
+
|
|
if (memcmp (p, "\x00\x00", 2) != 0)
|
|
return GSS_S_BAD_SIG;
|
|
p += 2;
|
|
@@ -216,6 +223,8 @@ unwrap_des3
|
|
|
|
if (IS_DCE_STYLE(context_handle)) {
|
|
token_len = 34 + 8 + 15; /* 57 */
|
|
+ if (input_message_buffer->length < token_len)
|
|
+ return GSS_S_BAD_MECH;
|
|
} else {
|
|
token_len = input_message_buffer->length;
|
|
}
|
|
@@ -228,6 +237,11 @@ unwrap_des3
|
|
if (ret)
|
|
return ret;
|
|
|
|
+ len = (p - (u_char *)input_message_buffer->value)
|
|
+ + 34 + 8;
|
|
+ if (input_message_buffer->length < len)
|
|
+ return GSS_S_BAD_MECH;
|
|
+
|
|
if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
|
|
return GSS_S_BAD_SIG;
|
|
p += 2;
|
|
--
|
|
2.25.1
|