47 lines
1.6 KiB
Diff
47 lines
1.6 KiB
Diff
From 025fbb756d44ffee8f847db4222ed6aa4bd1fbe4 Mon Sep 17 00:00:00 2001
|
|
From: Simo Sorce <simo@redhat.com>
|
|
Date: Tue, 7 Feb 2023 11:53:11 -0500
|
|
Subject: [PATCH] GHSL-2023-011: Out-of-bounds read when decoding
|
|
|
|
Out-of-bounds read when decoding target information (GHSL-2023-011)
|
|
|
|
Fixes defect GHSL-2023-011 found by the GitHub Security Lab team via
|
|
oss-fuzz.
|
|
|
|
The lenght of the av_pair is not checked properly for two of the
|
|
elements. In case the lenght is shorter than requires this may cause an
|
|
out-of-bound read that either reads garbage or may cause a crash by
|
|
reading unmapped memory.
|
|
|
|
This can be exploited to crash the service causing a DoS.
|
|
|
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
---
|
|
src/ntlm.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/src/ntlm.c b/src/ntlm.c
|
|
index d3d7d1b..0f71bfd 100644
|
|
--- a/src/ntlm.c
|
|
+++ b/src/ntlm.c
|
|
@@ -685,11 +685,19 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
|
|
break;
|
|
case MSV_AV_TIMESTAMP:
|
|
if (!av_timestamp) continue;
|
|
+ if (av_len < sizeof(timestamp)) {
|
|
+ ret = ERR_DECODE;
|
|
+ goto done;
|
|
+ }
|
|
memcpy(×tamp, av_pair->value, sizeof(timestamp));
|
|
timestamp = le64toh(timestamp);
|
|
break;
|
|
case MSV_AV_FLAGS:
|
|
if (!av_flags) continue;
|
|
+ if (av_len < sizeof(flags)) {
|
|
+ ret = ERR_DECODE;
|
|
+ goto done;
|
|
+ }
|
|
memcpy(&flags, av_pair->value, sizeof(flags));
|
|
flags = le32toh(flags);
|
|
break;
|