Fix off-by-one bug in ISC SPNEGO implementation

The ISC SPNEGO implementation is based on mod_auth_kerb code.  When
CVE-2006-5989 was disclosed, the relevant fix was not applied to the
BIND 9 codebase, making the latter vulnerable to the aforementioned flaw
when "tkey-gssapi-keytab" or "tkey-gssapi-credential" is set in
named.conf.

The original description of CVE-2006-5989 was:

    Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0
    allows remote attackers to cause a denial of service (crash) via a
    crafted Kerberos message that triggers a heap-based buffer overflow
    in the component array.

Later research revealed that this flaw also theoretically enables remote
code execution, though achieving the latter in real-world conditions is
currently deemed very difficult.

This vulnerability was responsibly reported as ZDI-CAN-12302 ("ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability") by Trend Micro Zero Day Initiative.

diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index e61d1c600f248229ad4932307ecdd851947c6449..753dc8049fa570c3d0cc33c8be47f991572d5e4f 100644 (file)
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
                return (ASN1_OVERRUN);
        }
 
-       data->components = malloc(len * sizeof(*data->components));
+       data->components = malloc((len + 1) * sizeof(*data->components));
        if (data->components == NULL) {
                return (ENOMEM);
        }