[30886] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.18]: Fix input length checking in SPNEGO DER
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Nov 3 13:15:19 2020
Date: Tue, 3 Nov 2020 13:14:51 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202011031814.0A3IEpYc007886@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/8c9443436739ef640062f619aff55f4413a946f0
commit 8c9443436739ef640062f619aff55f4413a946f0
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Jul 28 12:58:26 2020 -0400
Fix input length checking in SPNEGO DER decoding
In get_mech_set(), check the length before reading the first byte, and
decrease the length by the tag byte when reading and verifying the
sequence length.
In get_req_flags(), check the length before reading the first byte,
and check the context tag length after decoding it.
(cherry picked from commit 64f4b75a22212681ca293f8f09ddd24b0244d5b4)
ticket: 8933
version_fixed: 1.18.3
src/lib/gssapi/spnego/spnego_mech.c | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 0d2a2c9..b3010c2 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3455,14 +3455,14 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
unsigned char *start;
int i;
- if (**buff_in != SEQUENCE_OF)
+ if (buff_length < 1 || **buff_in != SEQUENCE_OF)
return (NULL);
start = *buff_in;
(*buff_in)++;
- length = gssint_get_der_length(buff_in, buff_length, &bytes);
- if (length < 0 || buff_length - bytes < (unsigned int)length)
+ length = gssint_get_der_length(buff_in, buff_length - 1, &bytes);
+ if (length < 0 || buff_length - 1 - bytes < (unsigned int)length)
return NULL;
major_status = gss_create_empty_oid_set(minor_status,
@@ -3542,11 +3542,11 @@ get_req_flags(unsigned char **buff_in, OM_uint32 bodysize,
{
unsigned int len;
- if (**buff_in != (CONTEXT | 0x01))
+ if (bodysize < 1 || **buff_in != (CONTEXT | 0x01))
return (0);
if (g_get_tag_and_length(buff_in, (CONTEXT | 0x01),
- bodysize, &len) < 0)
+ bodysize, &len) < 0 || len != 4)
return GSS_S_DEFECTIVE_TOKEN;
if (*(*buff_in)++ != BIT_STRING)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
