git.ipfire.org Git - thirdparty/samba.git/commit

author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Mon, 10 Oct 2022 07:33:09 +0000 (20:33 +1300)
committer	Jule Anger <janger@samba.org>
	Mon, 24 Oct 2022 05:27:02 +0000 (07:27 +0200)
commit	77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985
tree	876dc9808bf674ec6b8cd40feaf3ec1b8ce6094d	tree
parent	1aca34515515f2cb00fbf5ad8b9212b319f01836	commit \| diff

CVE-2022-3437 source4/heimdal: Check for overflow in _gsskrb5_get_mech()

If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail.d/heimdal-des-overflow		diff \| blob \| blame \| history
source4/heimdal/lib/gssapi/krb5/decapsulate.c		diff \| blob \| blame \| history