39 lines
1.2 KiB
Diff
39 lines
1.2 KiB
Diff
From c16100f60907a2de92bcb676f303b81facee0f64 Mon Sep 17 00:00:00 2001
|
|
From: Simo Sorce <simo@redhat.com>
|
|
Date: Tue, 7 Feb 2023 12:04:11 -0500
|
|
Subject: [PATCH] GHSL-2023-012: Incorrect free when decoding target
|
|
|
|
Incorrect free when decoding target information (GHSL-2023-012)
|
|
|
|
Fixes defect GHSL-2023-012 found by the GitHub Security Lab team via
|
|
oss-fuzz.
|
|
|
|
The error condition incorrectly assumed the cb and sh buffers would
|
|
contain a copy of the data that needed to freed. However that is not the
|
|
case.
|
|
|
|
This will generally cause an assertion when trying to free a pointer
|
|
that was never allocated, and potentially memory corruption depending on
|
|
the contents fo the target_info buffer.
|
|
|
|
This may cause a DoS condition.
|
|
|
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
---
|
|
src/ntlm.c | 2 --
|
|
1 file changed, 2 deletions(-)
|
|
|
|
diff --git a/src/ntlm.c b/src/ntlm.c
|
|
index 0ac1c03..d3d7d1b 100644
|
|
--- a/src/ntlm.c
|
|
+++ b/src/ntlm.c
|
|
@@ -731,8 +731,6 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
|
|
|
|
done:
|
|
if (ret) {
|
|
- ntlm_free_buffer_data(&sh);
|
|
- ntlm_free_buffer_data(&cb);
|
|
safefree(nb_computer);
|
|
safefree(nb_domain);
|
|
safefree(dns_computer);
|