packages/gssntlmssp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gssntlmssp/CVE-2023-25563.patch
starlet-dx b8edfa7ad5 Fix CVE-2023-25563,CVE-2023-25564,CVE-2023-25565 and CVE-2023-25567 
(cherry picked from commit f3bbca8f340260046ba0f4bda7546e45a27b4ce1)
2023-02-22 10:25:14 +08:00

68 lines
2.3 KiB
Diff
Raw Permalink Blame History

From 97c62c6167299028d80765080e74d91dfc99efbd Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 13:51:34 -0500
Subject: [PATCH] Out-of-bounds read in multiple decode functions
These were reported as:
- Out-of-bounds read in ntlm_decode_oem_str (GHSL-2023-019)
- Out-of-bounds read in ntlm_decode_u16l_str_hdr (GHSL-2023-020)
- Out-of-bounds read in ntlm_decode_field (GHSL-2023-021)
These are lall basically the same identical error replicated in 3
separate functions.
Fixes defects GHSL-2023-019, GHSL-2023-020, GHSL-2023-021 found by
the GitHub Security Lab team via oss-fuzz.
A 32-bit integer overflow condition can lead to incorrect checks of
consistency of length of internal buffers. This leads to a DoS
as the service may end up reading from unmapped memory and crashing.
Although most applications will error out before accepting a singe input
buffer of 4GB in lenght this could theoretically happen, and therefore
we fix it.
Fixes CVE-2023-25563
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ntlm.c b/src/ntlm.c
index b2d84a2..df2458a 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -205,7 +205,6 @@ static int ntlm_str_convert(iconv_t cd,
return 0;
}
-
uint8_t ntlmssp_sig[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
static void ntlm_encode_header(struct wire_msg_hdr *hdr, uint32_t msg_type)
@@ -256,6 +255,7 @@ static int ntlm_decode_oem_str(struct wire_field_hdr *str_hdr,
str_offs = le32toh(str_hdr->offset);
if ((str_offs < payload_offs) ||
(str_offs > buffer->length) ||
+ (UINT32_MAX - str_offs < str_len) ||
(str_offs + str_len > buffer->length)) {
return ERR_DECODE;
}
@@ -308,6 +308,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
str_offs = le32toh(str_hdr->offset);
if ((str_offs < payload_offs) ||
(str_offs > buffer->length) ||
+ (UINT32_MAX - str_offs < str_len) ||
(str_offs + str_len > buffer->length)) {
return ERR_DECODE;
}
@@ -393,6 +394,7 @@ static int ntlm_decode_field(struct wire_field_hdr *hdr,
offs = le32toh(hdr->offset);
if ((offs < payload_offs) ||
(offs > buffer->length) ||
+ (UINT32_MAX - offs < len) ||
(offs + len > buffer->length)) {
return ERR_DECODE;
}
Reference in New Issue View Git Blame Copy Permalink