CVE-2022-42898 source4/heimdal: Add krb5_ret/store_[u]int64()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203

[jsutton@samba.org backported from Heimdal commit
 996d4c5db3c8aee10b7496591db13f52a575cef5; removed changes to
 lib/krb5/libkrb5-exports.def.in which we don't have]

diff --git a/source4/heimdal/lib/krb5/store-int.c b/source4/heimdal/lib/krb5/store-int.c
index d577629718169d4e9c77678ffbf6368007ab5c44..542b99abc08978ce9176fb7685d9db109df4cc48 100644 (file)
--- a/source4/heimdal/lib/krb5/store-int.c
+++ b/source4/heimdal/lib/krb5/store-int.c
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 
 KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-_krb5_put_int(void *buffer, unsigned long value, size_t size)
+_krb5_put_int(void *buffer, uint64_t value, size_t size)
 {
     unsigned char *p = buffer;
     int i;
@@ -46,7 +46,7 @@ _krb5_put_int(void *buffer, unsigned long value, size_t size)
 }
 
 KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-_krb5_get_int(void *buffer, unsigned long *value, size_t size)
+_krb5_get_int64(void *buffer, uint64_t *value, size_t size)
 {
     unsigned char *p = buffer;
     unsigned long v = 0;
@@ -56,3 +56,12 @@ _krb5_get_int(void *buffer, unsigned long *value, size_t size)
     *value = v;
     return size;
 }
+
+KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
+_krb5_get_int(void *buffer, unsigned long *value, size_t size)
+{
+    uint64_t v64;
+    krb5_ssize_t bytes = _krb5_get_int64(buffer, &v64, size);
+    *value = v64;
+    return bytes;
+}

diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c
index 31afb23c983dc4ed2526fa978c2b73e8d8366804..df0227b39ded01220890572b1a1cd8be91b244e3 100644 (file)
--- a/source4/heimdal/lib/krb5/store.c
+++ b/source4/heimdal/lib/krb5/store.c
@@ -318,13 +318,13 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
 
 static krb5_error_code
 krb5_store_int(krb5_storage *sp,
-              int32_t value,
+              int64_t value,
               size_t len)
 {
     int ret;
-    unsigned char v[16];
+    unsigned char v[8];
 
-    if(len > sizeof(v))
+    if (len > sizeof(v))
        return EINVAL;
     _krb5_put_int(v, value, len);
     ret = sp->store(sp, v, len);
@@ -358,6 +358,33 @@ krb5_store_int32(krb5_storage *sp,
     return krb5_store_int(sp, value, 4);
 }
 
+/**
+ * Store a int64 to storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value to store
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_store_int64(krb5_storage *sp,
+                int64_t value)
+{
+    if (BYTEORDER_IS_HOST(sp))
+#ifdef WORDS_BIGENDIAN
+        ;
+#else
+       value = bswap64(value); /* There's no ntohll() */
+#endif
+    else if (BYTEORDER_IS_LE(sp))
+       value = bswap64(value);
+    return krb5_store_int(sp, value, 8);
+}
+
 /**
  * Store a uint32 to storage, byte order is controlled by the settings
  * on the storage, see krb5_storage_set_byteorder().
@@ -377,24 +404,99 @@ krb5_store_uint32(krb5_storage *sp,
     return krb5_store_int32(sp, (int32_t)value);
 }
 
+/**
+ * Store a uint64 to storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value to store
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_store_uint64(krb5_storage *sp,
+                 uint64_t value)
+{
+    return krb5_store_int64(sp, (int64_t)value);
+}
+
 static krb5_error_code
 krb5_ret_int(krb5_storage *sp,
-            int32_t *value,
+            int64_t *value,
             size_t len)
 {
     int ret;
-    unsigned char v[4];
-    unsigned long w;
+    unsigned char v[8];
+    uint64_t w;
     ret = sp->fetch(sp, v, len);
     if (ret < 0)
        return errno;
     if ((size_t)ret != len)
        return sp->eof_code;
-    _krb5_get_int(v, &w, len);
+    _krb5_get_int64(v, &w, len);
     *value = w;
     return 0;
 }
 
+/**
+ * Read a int64 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_ret_int64(krb5_storage *sp,
+              int64_t *value)
+{
+    krb5_error_code ret = krb5_ret_int(sp, value, 8);
+    if(ret)
+       return ret;
+    if(BYTEORDER_IS_HOST(sp))
+#ifdef WORDS_BIGENDIAN
+        ;
+#else
+       *value = bswap64(*value); /* There's no ntohll() */
+#endif
+    else if(BYTEORDER_IS_LE(sp))
+       *value = bswap64(*value);
+    return 0;
+}
+
+/**
+ * Read a uint64 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_ret_uint64(krb5_storage *sp,
+               uint64_t *value)
+{
+    krb5_error_code ret;
+    int64_t v;
+
+    ret = krb5_ret_int64(sp, &v);
+    if (ret == 0)
+       *value = (uint64_t)v;
+
+    return ret;
+}
+
 /**
  * Read a int32 from storage, byte order is controlled by the settings
  * on the storage, see krb5_storage_set_byteorder().
@@ -411,12 +513,15 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_int32(krb5_storage *sp,
               int32_t *value)
 {
-    krb5_error_code ret = krb5_ret_int(sp, value, 4);
-    if(ret)
+    int64_t v;
+
+    krb5_error_code ret = krb5_ret_int(sp, &v, 4);
+    if (ret)
        return ret;
-    if(BYTEORDER_IS_HOST(sp))
+    *value = v;
+    if (BYTEORDER_IS_HOST(sp))
        *value = htonl(*value);
-    else if(BYTEORDER_IS_LE(sp))
+    else if (BYTEORDER_IS_LE(sp))
        *value = bswap32(*value);
     return 0;
 }
@@ -434,8 +539,7 @@ krb5_ret_int32(krb5_storage *sp,
  */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_uint32(krb5_storage *sp,
-               uint32_t *value)
+krb5_ret_uint32(krb5_storage *sp, uint32_t *value)
 {
     krb5_error_code ret;
     int32_t v;
@@ -505,7 +609,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_int16(krb5_storage *sp,
               int16_t *value)
 {
-    int32_t v = 0;
+    int64_t v;
     int ret;
     ret = krb5_ret_int(sp, &v, 2);
     if(ret)

diff --git a/source4/heimdal/lib/krb5/version-script.map b/source4/heimdal/lib/krb5/version-script.map
index 2359001e9da7930d3b6a489c88292656a45bd287..d0412c08d59e6366183fbcdd1fee8ff259590124 100644 (file)
--- a/source4/heimdal/lib/krb5/version-script.map
+++ b/source4/heimdal/lib/krb5/version-script.map
@@ -550,6 +550,7 @@ HEIMDAL_KRB5_2.0 {
                krb5_ret_data;
                krb5_ret_int16;
                krb5_ret_int32;
+               krb5_ret_int64;
                krb5_ret_int8;
                krb5_ret_keyblock;
                krb5_ret_principal;
@@ -559,6 +560,7 @@ HEIMDAL_KRB5_2.0 {
                krb5_ret_times;
                krb5_ret_uint16;
                krb5_ret_uint32;
+               krb5_ret_uint64;
                krb5_ret_uint8;
                krb5_salttype_to_string;
                krb5_sendauth;
@@ -623,6 +625,7 @@ HEIMDAL_KRB5_2.0 {
                krb5_store_data;
                krb5_store_int16;
                krb5_store_int32;
+               krb5_store_int64;
                krb5_store_int8;
                krb5_store_keyblock;
                krb5_store_principal;
@@ -632,6 +635,7 @@ HEIMDAL_KRB5_2.0 {
                krb5_store_times;
                krb5_store_uint16;
                krb5_store_uint32;
+               krb5_store_uint64;
                krb5_store_uint8;
                krb5_string_to_deltat;
                krb5_string_to_enctype;