mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-04 15:40:44 +00:00
heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()
Apply upstream 22749e918 to fix a buffer overflow. Upstream notes: If len_len is equal to total_len - 1 (i.e. the input consists only of a 0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', used as the 'len' parameter to der_get_length(), will overflow to SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, whatever data follows in memory. Add a check to ensure that doesn't happen This is similar to samba CVE-2022-3437. Reported by: emaste Security: CVE-2022-41916 Obtained from: upstream 22749e918 MFC after: 1 week
This commit is contained in:
parent
2433937749
commit
9286d46a79
|
@ -56,6 +56,8 @@ _gsskrb5_get_mech (const u_char *ptr,
|
||||||
return -1;
|
return -1;
|
||||||
if (total_len < 1 + len_len + 1)
|
if (total_len < 1 + len_len + 1)
|
||||||
return -1;
|
return -1;
|
||||||
|
if (total_len < 1 + len_len + 1)
|
||||||
|
return -1;
|
||||||
p += len_len;
|
p += len_len;
|
||||||
if (*p++ != 0x06)
|
if (*p++ != 0x06)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
Loading…
Reference in a new issue