59 lines
1.6 KiB
Diff
59 lines
1.6 KiB
Diff
From c753000eb31835c0664e528fbc99378ae0cbe950 Mon Sep 17 00:00:00 2001
|
|
From: Simo Sorce <simo@redhat.com>
|
|
Date: Tue, 7 Feb 2023 12:14:20 -0500
|
|
Subject: [PATCH] GHSL-2023-013: Memory corruption decoding UTF16
|
|
|
|
Memory corruption when decoding UTF16 strings (GHSL-2023-013)
|
|
|
|
Fixes defect GHSL-2023-013 found by the GitHub Security Lab team via
|
|
oss-fuzz.
|
|
|
|
The variable outlen was not initialized and could cause writing a zero
|
|
to an arbitrary place in memory if ntlm_str_convert() were to fail,
|
|
which would leave outlen uninitialized.
|
|
|
|
This can lead to a DoS if the write hits unmapped memory or randomly
|
|
corrupting a byte in the application memory space.
|
|
|
|
Make sure to zero out only if ntlm_str_convert() succeeds, but for good
|
|
measure also initialize outlen to 0.
|
|
|
|
Fixes CVE-2023-25564
|
|
|
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
---
|
|
src/ntlm.c | 9 +++++----
|
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/ntlm.c b/src/ntlm.c
|
|
index df2458a..0ac1c03 100644
|
|
--- a/src/ntlm.c
|
|
+++ b/src/ntlm.c
|
|
@@ -299,7 +299,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
|
|
char *in, *out = NULL;
|
|
uint16_t str_len;
|
|
uint32_t str_offs;
|
|
- size_t outlen;
|
|
+ size_t outlen = 0;
|
|
int ret = 0;
|
|
|
|
str_len = le16toh(str_hdr->len);
|
|
@@ -320,13 +320,14 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
|
|
|
|
ret = ntlm_str_convert(ctx->to_oem, in, out, str_len, &outlen);
|
|
|
|
- /* make sure to terminate output string */
|
|
- out[outlen] = '\0';
|
|
-
|
|
done:
|
|
if (ret) {
|
|
safefree(out);
|
|
+ } else {
|
|
+ /* make sure to terminate output string */
|
|
+ out[outlen] = '\0';
|
|
}
|
|
+
|
|
*str = out;
|
|
return ret;
|
|
}
|