From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 2 Aug 2022 02:34:26 +0000 (+1200)
Subject: lib:crypto: Check for overflow before filling pauth_tag array
X-Git-Tag: talloc-2.4.0~1093
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cec59b82f7041a305c228091a84257c28e0818d5;p=thirdparty%2Fsamba.git

lib:crypto: Check for overflow before filling pauth_tag array

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
index a05aa8a323c..fc4d21f4ec5 100644
--- a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
+++ b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
@@ -124,6 +124,14 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx,
 	 * TODO: Use gnutls_cipher_encrypt3()
 	 */
 
+	if (hmac_size > 64) {
+		/*
+		 * We don't want to overflow 'pauth_tag', which is 64 bytes in
+		 * size.
+		 */
+		return NT_STATUS_INVALID_BUFFER_SIZE;
+	}
+
 	if (plaintext->length + aes_block_size < plaintext->length) {
 		return NT_STATUS_INVALID_BUFFER_SIZE;
 	}