From 5b42970afea248889fd3350448a40045d467ff3f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 28 Jul 2020 12:58:26 -0400 Subject: [PATCH] Fix input length checking in SPNEGO DER decoding In get_mech_set(), check the length before reading the first byte, and decrease the length by the tag byte when reading and verifying the sequence length. In get_req_flags(), check the length before reading the first byte, and check the context tag length after decoding it. ticket: 8933 (new) tags: pullup target_version: 1.18-next target_version: 1.17-next (cherry picked from commit 64f4b75a22212681ca293f8f09ddd24b0244d5b4) --- src/lib/gssapi/spnego/spnego_mech.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 4cf011143..13c351620 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -3462,14 +3462,14 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, unsigned char *start; int i; - if (**buff_in != SEQUENCE_OF) + if (buff_length < 1 || **buff_in != SEQUENCE_OF) return (NULL); start = *buff_in; (*buff_in)++; - length = gssint_get_der_length(buff_in, buff_length, &bytes); - if (length < 0 || buff_length - bytes < (unsigned int)length) + length = gssint_get_der_length(buff_in, buff_length - 1, &bytes); + if (length < 0 || buff_length - 1 - bytes < (unsigned int)length) return NULL; major_status = gss_create_empty_oid_set(minor_status, @@ -3549,11 +3549,11 @@ get_req_flags(unsigned char **buff_in, OM_uint32 bodysize, { unsigned int len; - if (**buff_in != (CONTEXT | 0x01)) + if (bodysize < 1 || **buff_in != (CONTEXT | 0x01)) return (0); if (g_get_tag_and_length(buff_in, (CONTEXT | 0x01), - bodysize, &len) < 0) + bodysize, &len) < 0 || len != 4) return GSS_S_DEFECTIVE_TOKEN; if (*(*buff_in)++ != BIT_STRING)