From 025fbb756d44ffee8f847db4222ed6aa4bd1fbe4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 11:53:11 -0500
Subject: [PATCH] GHSL-2023-011: Out-of-bounds read when decoding

Out-of-bounds read when decoding target information (GHSL-2023-011)

Fixes defect GHSL-2023-011 found by the GitHub Security Lab team via
oss-fuzz.

The lenght of the av_pair is not checked properly for two of the
elements. In case the lenght is shorter than requires this may cause an
out-of-bound read that either reads garbage or may cause a crash by
reading unmapped memory.

This can be exploited to crash the service causing a DoS.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 src/ntlm.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/ntlm.c b/src/ntlm.c
index d3d7d1b..0f71bfd 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -685,11 +685,19 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
             break;
         case MSV_AV_TIMESTAMP:
             if (!av_timestamp) continue;
+            if (av_len < sizeof(timestamp)) {
+                ret = ERR_DECODE;
+                goto done;
+            }
             memcpy(&timestamp, av_pair->value, sizeof(timestamp));
             timestamp = le64toh(timestamp);
             break;
         case MSV_AV_FLAGS:
             if (!av_flags) continue;
+            if (av_len < sizeof(flags)) {
+                ret = ERR_DECODE;
+                goto done;
+            }
             memcpy(&flags, av_pair->value, sizeof(flags));
             flags = le32toh(flags);
             break;