From 97c62c6167299028d80765080e74d91dfc99efbd Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 13:51:34 -0500
Subject: [PATCH] Out-of-bounds read in multiple decode functions

These were reported as:
- Out-of-bounds read in ntlm_decode_oem_str (GHSL-2023-019)
- Out-of-bounds read in ntlm_decode_u16l_str_hdr (GHSL-2023-020)
- Out-of-bounds read in ntlm_decode_field (GHSL-2023-021)

These are lall basically the same identical error replicated in 3
separate functions.

Fixes defects GHSL-2023-019, GHSL-2023-020, GHSL-2023-021 found by
the GitHub Security Lab team via oss-fuzz.

A 32-bit integer overflow condition can lead to incorrect checks of
consistency of length of internal buffers. This leads to a DoS
as the service may end up reading from unmapped memory and crashing.

Although most applications will error out before accepting a singe input
buffer of 4GB in lenght this could theoretically happen, and therefore
we fix it.

Fixes CVE-2023-25563

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 src/ntlm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/ntlm.c b/src/ntlm.c
index b2d84a2..df2458a 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -205,7 +205,6 @@ static int ntlm_str_convert(iconv_t cd,
     return 0;
 }
 
-
 uint8_t ntlmssp_sig[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
 
 static void ntlm_encode_header(struct wire_msg_hdr *hdr, uint32_t msg_type)
@@ -256,6 +255,7 @@ static int ntlm_decode_oem_str(struct wire_field_hdr *str_hdr,
     str_offs = le32toh(str_hdr->offset);
     if ((str_offs < payload_offs) ||
         (str_offs > buffer->length) ||
+        (UINT32_MAX - str_offs < str_len) ||
         (str_offs + str_len > buffer->length)) {
         return ERR_DECODE;
     }
@@ -308,6 +308,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
     str_offs = le32toh(str_hdr->offset);
     if ((str_offs < payload_offs) ||
         (str_offs > buffer->length) ||
+        (UINT32_MAX - str_offs < str_len) ||
         (str_offs + str_len > buffer->length)) {
         return ERR_DECODE;
     }
@@ -393,6 +394,7 @@ static int ntlm_decode_field(struct wire_field_hdr *hdr,
     offs = le32toh(hdr->offset);
     if ((offs < payload_offs) ||
         (offs > buffer->length) ||
+        (UINT32_MAX - offs < len) ||
         (offs + len > buffer->length)) {
         return ERR_DECODE;
     }