hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-28 03:42:04 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()

Browse Source 
Apply upstream 22749e918 to fix a buffer overflow.

Upstream notes:

    If len_len is equal to total_len - 1 (i.e. the input consists only of a
    0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
    used as the 'len' parameter to der_get_length(), will overflow to
    SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
    whatever data follows in memory. Add a check to ensure that doesn't
    happen

This is similar to samba CVE-2022-3437.

Reported by:	emaste
Security:	CVE-2022-41916
Obtained from:	upstream 22749e918
MFC after:	1 week
This commit is contained in:
Cy Schubert 2024-02-14 16:54:46 -08:00
parent 2433937749
commit 9286d46a79
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/heimdal/lib/gssapi/krb5/decapsulate.c
View File

@ -56,6 +56,8 @@ _gsskrb5_get_mech (const u_char *ptr,
return -1;
if (total_len < 1 + len_len + 1)
return -1;
if (total_len < 1 + len_len + 1)
return -1;
p += len_len;
if (*p++ != 0x06)
return -1;