CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()

We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
index 23acbb43d312567e744101278db43923f467e244..68b304530db55dbbc59ba4e2e073a201b2288917 100644 (file)
--- a/selftest/knownfail.d/heimdal-des-overflow
+++ b/selftest/knownfail.d/heimdal-des-overflow
@@ -3,7 +3,6 @@
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
 ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none

diff --git a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c
index 4e3fcd659e9086046417191cdfe94fe9db5a8e6e..031a621eabc7f0c8f596adc11cc67352047e20e5 100644 (file)
--- a/third_party/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/third_party/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str,
 
     if (mech_len != mech->length)
        return GSS_S_BAD_MECH;
+    if (mech_len > total_len)
+       return GSS_S_BAD_MECH;
+    if (p - *str > total_len - mech_len)
+       return GSS_S_BAD_MECH;
     if (ct_memcmp(p,
                  mech->elements,
                  mech->length) != 0)