git.samba.org - samba.git/commit

author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Mon, 15 Aug 2022 04:53:45 +0000 (16:53 +1200)
committer	Jule Anger <janger@samba.org>
	Mon, 24 Oct 2022 05:27:37 +0000 (07:27 +0200)
commit	e1c2e2836efaa895d817b5611bf908284c3d415d
tree	74d7574e3c9c71bb9b3a99c8703142e0fa3e66b8	tree
parent	c944773adc421b3f85a8166fa2d9733e3e9a10c2	commit \| diff

CVE-2022-3437 third_party/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()

By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.

In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.

That would be undefined behaviour.

The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>