From b5efdddd503020c2b64ccf9c30bb09117035f3ce Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 10 Aug 2021 17:50:35 +0300 Subject: [PATCH] Fix verification of RODC-issued PAC KDC signature Per [MS-PAC] 2.8, PAC_SIGNATURE_DATA may contain an RODCIdentifier following the checksum. In k5_pac_verify_kdc_checksum(), do not assume that the checksum spans the remainder of the buffer; instead, look up the checksum length by its type. [ghudson@mit.edu: edited commit message and comment; reordered code for clarity] ticket: 9031 (new) --- src/lib/krb5/krb/pac.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 950beda657..46705d23eb 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -596,6 +596,7 @@ k5_pac_verify_kdc_checksum(krb5_context context, krb5_checksum checksum; krb5_boolean valid; krb5_octet *p; + size_t cksumlen; ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, &privsvr_checksum); @@ -615,11 +616,19 @@ k5_pac_verify_kdc_checksum(krb5_context context, p = (krb5_octet *)privsvr_checksum.data; checksum.checksum_type = load_32_le(p); - checksum.length = privsvr_checksum.length - PAC_SIGNATURE_DATA_LENGTH; - checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH; if (!krb5_c_is_keyed_cksum(checksum.checksum_type)) return KRB5KRB_AP_ERR_INAPP_CKSUM; + /* There may be an RODCIdentifier trailer (see [MS-PAC] 2.8), so look up + * the length of the checksum by its type. */ + ret = krb5_c_checksum_length(context, checksum.checksum_type, &cksumlen); + if (ret) + return ret; + if (cksumlen > privsvr_checksum.length - PAC_SIGNATURE_DATA_LENGTH) + return KRB5_BAD_MSIZE; + checksum.length = cksumlen; + checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH; + server_checksum.data += PAC_SIGNATURE_DATA_LENGTH; server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; -- 2.47.2