Make gssntlm_import_name_by_mech more robust

simo5 · simo5 · commit 0f4889ab2370 · 2023-02-12T10:59:30.000-05:00
This was reported by the GitHub Security Lab team as:
- Memory corruption when importing host-based service names (GHSL-2023-014)

However the only caller that could cause the issue report in a way that
culd lead to memory corruption is the application itself calling
gss_import_name with an invalid name buffer containing embedded zeros.

This is an invalid name for any GSSAPI mechanism and an incorrect use or
incorrect validation on the application side. As such I do not believe
this is a security or DoS issue in the gss-ntlmssp code, but will adopt
the proposed mitigation anyway as it makes the code more robust in the
face of application mistakes.

Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/src/gss_names.c b/src/gss_names.c
@@ -299,7 +299,7 @@ uint32_t gssntlm_import_name_by_mech(uint32_t *minor_status,
                 set_GSSERR(ENOMEM);
                 goto done;
             }
-            p = memchr(spn, '@', input_name_buffer->length);
+            p = strchr(spn, '@');
             if (p && input_name_buffer->length == 1) {
                 free(spn);
                 spn = p = NULL;

Original file line number	Diff line number	Diff line change
`@@ -299,7 +299,7 @@ uint32_t gssntlm_import_name_by_mech(uint32_t *minor_status,`
`299`	`299`	`set_GSSERR(ENOMEM);`
`300`	`300`	`goto done;`
`301`	`301`	`}`
`302`		`- p = memchr(spn, '@', input_name_buffer->length);`
	`302`	`+ p = strchr(spn, '@');`
`303`	`303`	`if (p && input_name_buffer->length == 1) {`
`304`	`304`	`free(spn);`
`305`	`305`	`spn = p = NULL;`