git: 9286d46a794f - main - heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 15 Feb 2024 21:30:36 UTC
The branch main has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=9286d46a794f25482880d29864a8901ef6666fae
commit 9286d46a794f25482880d29864a8901ef6666fae
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2024-02-15 00:54:46 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2024-02-15 21:27:55 +0000
heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()
Apply upstream 22749e918 to fix a buffer overflow.
Upstream notes:
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen
This is similar to samba CVE-2022-3437.
Reported by: emaste
Security: CVE-2022-41916
Obtained from: upstream 22749e918
MFC after: 1 week
---
crypto/heimdal/lib/gssapi/krb5/decapsulate.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c
index 343a3d7acb97..7a18708a633a 100644
--- a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -56,6 +56,8 @@ _gsskrb5_get_mech (const u_char *ptr,
return -1;
if (total_len < 1 + len_len + 1)
return -1;
+ if (total_len < 1 + len_len + 1)
+ return -1;
p += len_len;
if (*p++ != 0x06)
return -1;