Date: Thu, 15 Feb 2024 21:30:36 GMT From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 9286d46a794f - main - heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech() Message-ID: <202402152130.41FLUac3063524@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=9286d46a794f25482880d29864a8901ef6666fae commit 9286d46a794f25482880d29864a8901ef6666fae Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2024-02-15 00:54:46 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2024-02-15 21:27:55 +0000 heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech() Apply upstream 22749e918 to fix a buffer overflow. Upstream notes: If len_len is equal to total_len - 1 (i.e. the input consists only of a 0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', used as the 'len' parameter to der_get_length(), will overflow to SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, whatever data follows in memory. Add a check to ensure that doesn't happen This is similar to samba CVE-2022-3437. Reported by: emaste Security: CVE-2022-41916 Obtained from: upstream 22749e918 MFC after: 1 week --- crypto/heimdal/lib/gssapi/krb5/decapsulate.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c index 343a3d7acb97..7a18708a633a 100644 --- a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c +++ b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c @@ -56,6 +56,8 @@ _gsskrb5_get_mech (const u_char *ptr, return -1; if (total_len < 1 + len_len + 1) return -1; + if (total_len < 1 + len_len + 1) + return -1; p += len_len; if (*p++ != 0x06) return -1;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202402152130.41FLUac3063524>