git: 9286d46a794f - main - heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Thu, 15 Feb 2024 21:30:36 UTC
The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=9286d46a794f25482880d29864a8901ef6666fae

commit 9286d46a794f25482880d29864a8901ef6666fae
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2024-02-15 00:54:46 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2024-02-15 21:27:55 +0000

    heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()
    
    Apply upstream 22749e918 to fix a buffer overflow.
    
    Upstream notes:
    
        If len_len is equal to total_len - 1 (i.e. the input consists only of a
        0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
        used as the 'len' parameter to der_get_length(), will overflow to
        SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
        whatever data follows in memory. Add a check to ensure that doesn't
        happen
    
    This is similar to samba CVE-2022-3437.
    
    Reported by:    emaste
    Security:       CVE-2022-41916
    Obtained from:  upstream 22749e918
    MFC after:      1 week
---
 crypto/heimdal/lib/gssapi/krb5/decapsulate.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c
index 343a3d7acb97..7a18708a633a 100644
--- a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -56,6 +56,8 @@ _gsskrb5_get_mech (const u_char *ptr,
 	return -1;
     if (total_len < 1 + len_len + 1)
 	return -1;
+    if (total_len < 1 + len_len + 1)
+	return -1;
     p += len_len;
     if (*p++ != 0x06)
 	return -1;