From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 15 Aug 2022 04:54:23 +0000 (+1200)
Subject: CVE-2022-3437 third_party/heimdal: Check buffer length against overflow for DES{... 
X-Git-Tag: talloc-2.4.0~657
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d0ad4ede7b391af3f38cd3664dc04c7ceea76e8;p=thirdparty%2Fsamba.git

CVE-2022-3437 third_party/heimdal: Check buffer length against overflow for DES{,3} unwrap

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
index 68b304530db..94a49bbee7f 100644
--- a/selftest/knownfail.d/heimdal-des-overflow
+++ b/selftest/knownfail.d/heimdal-des-overflow
@@ -1,8 +1,3 @@
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none
diff --git a/third_party/heimdal/lib/gssapi/krb5/unwrap.c b/third_party/heimdal/lib/gssapi/krb5/unwrap.c
index 61ca29156a1..493165bcfab 100644
--- a/third_party/heimdal/lib/gssapi/krb5/unwrap.c
+++ b/third_party/heimdal/lib/gssapi/krb5/unwrap.c
@@ -64,6 +64,8 @@ unwrap_des
 
   if (IS_DCE_STYLE(context_handle)) {
      token_len = 22 + 8 + 15; /* 45 */
+     if (input_message_buffer->length < token_len)
+	  return GSS_S_BAD_MECH;
   } else {
      token_len = input_message_buffer->length;
   }
@@ -76,6 +78,11 @@ unwrap_des
   if (ret)
       return ret;
 
+  len = (p - (u_char *)input_message_buffer->value)
+      + 22 + 8;
+  if (input_message_buffer->length < len)
+      return GSS_S_BAD_MECH;
+
   if (memcmp (p, "\x00\x00", 2) != 0)
     return GSS_S_BAD_SIG;
   p += 2;
@@ -219,6 +226,8 @@ unwrap_des3
 
   if (IS_DCE_STYLE(context_handle)) {
      token_len = 34 + 8 + 15; /* 57 */
+     if (input_message_buffer->length < token_len)
+	  return GSS_S_BAD_MECH;
   } else {
      token_len = input_message_buffer->length;
   }
@@ -231,6 +240,11 @@ unwrap_des3
   if (ret)
       return ret;
 
+  len = (p - (u_char *)input_message_buffer->value)
+      + 34 + 8;
+  if (input_message_buffer->length < len)
+      return GSS_S_BAD_MECH;
+
   if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
     return GSS_S_BAD_SIG;
   p += 2;