diff options
author | Cy Schubert <cy@FreeBSD.org> | 2024-02-15 00:54:46 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2024-02-15 21:27:55 +0000 |
commit | 9286d46a794f25482880d29864a8901ef6666fae (patch) | |
tree | dd5650a0e73997d5a404156830ccaffad15b6c99 | |
parent | 24339377490f9e362d040712b534d2963decd2d7 (diff) | |
download | src-9286d46a794f25482880d29864a8901ef6666fae.tar.gz src-9286d46a794f25482880d29864a8901ef6666fae.zip |
heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()
Apply upstream 22749e918 to fix a buffer overflow.
Upstream notes:
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen
This is similar to samba CVE-2022-3437.
Reported by: emaste
Security: CVE-2022-41916
Obtained from: upstream 22749e918
MFC after: 1 week
-rw-r--r-- | crypto/heimdal/lib/gssapi/krb5/decapsulate.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c index 343a3d7acb97..7a18708a633a 100644 --- a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c +++ b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c @@ -56,6 +56,8 @@ _gsskrb5_get_mech (const u_char *ptr, return -1; if (total_len < 1 + len_len + 1) return -1; + if (total_len < 1 + len_len + 1) + return -1; p += len_len; if (*p++ != 0x06) return -1; |