krb5 commit: Fix input length checking in SPNEGO DER decoding

Greg Hudson ghudson at mit.edu
Wed Sep 9 17:02:54 EDT 2020


https://github.com/krb5/krb5/commit/64f4b75a22212681ca293f8f09ddd24b0244d5b4
commit 64f4b75a22212681ca293f8f09ddd24b0244d5b4
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Jul 28 12:58:26 2020 -0400

    Fix input length checking in SPNEGO DER decoding
    
    In get_mech_set(), check the length before reading the first byte, and
    decrease the length by the tag byte when reading and verifying the
    sequence length.
    
    In get_req_flags(), check the length before reading the first byte,
    and check the context tag length after decoding it.
    
    ticket: 8933 (new)
    tags: pullup
    target_version: 1.18-next
    target_version: 1.17-next

 src/lib/gssapi/spnego/spnego_mech.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 450145d..81d2400 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3461,14 +3461,14 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
 	unsigned char		*start;
 	int i;
 
-	if (**buff_in != SEQUENCE_OF)
+	if (buff_length < 1 || **buff_in != SEQUENCE_OF)
 		return (NULL);
 
 	start = *buff_in;
 	(*buff_in)++;
 
-	length = gssint_get_der_length(buff_in, buff_length, &bytes);
-	if (length < 0 || buff_length - bytes < (unsigned int)length)
+	length = gssint_get_der_length(buff_in, buff_length - 1, &bytes);
+	if (length < 0 || buff_length - 1 - bytes < (unsigned int)length)
 		return NULL;
 
 	major_status = gss_create_empty_oid_set(minor_status,
@@ -3548,11 +3548,11 @@ get_req_flags(unsigned char **buff_in, OM_uint32 bodysize,
 {
 	unsigned int len;
 
-	if (**buff_in != (CONTEXT | 0x01))
+	if (bodysize < 1 || **buff_in != (CONTEXT | 0x01))
 		return (0);
 
 	if (g_get_tag_and_length(buff_in, (CONTEXT | 0x01),
-				bodysize, &len) < 0)
+				 bodysize, &len) < 0 || len != 4)
 		return GSS_S_DEFECTIVE_TOKEN;
 
 	if (*(*buff_in)++ != BIT_STRING)


More information about the cvs-krb5 mailing list