From: Isaac Boukris Date: Tue, 10 Aug 2021 14:50:35 +0000 (+0300) Subject: Fix verification of RODC-issued PAC KDC signature X-Git-Tag: krb5-1.20-beta1~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1208%2Fhead;p=thirdparty%2Fkrb5.git Fix verification of RODC-issued PAC KDC signature Per [MS-PAC] 2.8, PAC_SIGNATURE_DATA may contain an RODCIdentifier following the checksum. In k5_pac_verify_kdc_checksum(), do not assume that the checksum spans the remainder of the buffer; instead, look up the checksum length by its type. [ghudson@mit.edu: edited commit message and comment; reordered code for clarity] ticket: 9031 (new) --- diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 950beda657..46705d23eb 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -596,6 +596,7 @@ k5_pac_verify_kdc_checksum(krb5_context context, krb5_checksum checksum; krb5_boolean valid; krb5_octet *p; + size_t cksumlen; ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, &privsvr_checksum); @@ -615,11 +616,19 @@ k5_pac_verify_kdc_checksum(krb5_context context, p = (krb5_octet *)privsvr_checksum.data; checksum.checksum_type = load_32_le(p); - checksum.length = privsvr_checksum.length - PAC_SIGNATURE_DATA_LENGTH; - checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH; if (!krb5_c_is_keyed_cksum(checksum.checksum_type)) return KRB5KRB_AP_ERR_INAPP_CKSUM; + /* There may be an RODCIdentifier trailer (see [MS-PAC] 2.8), so look up + * the length of the checksum by its type. */ + ret = krb5_c_checksum_length(context, checksum.checksum_type, &cksumlen); + if (ret) + return ret; + if (cksumlen > privsvr_checksum.length - PAC_SIGNATURE_DATA_LENGTH) + return KRB5_BAD_MSIZE; + checksum.length = cksumlen; + checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH; + server_checksum.data += PAC_SIGNATURE_DATA_LENGTH; server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;