Skip to content

Commit 97c62c6

Browse files
simo5simo5
committed
Out-of-bounds read in multiple decode functions
These were reported as: - Out-of-bounds read in ntlm_decode_oem_str (GHSL-2023-019) - Out-of-bounds read in ntlm_decode_u16l_str_hdr (GHSL-2023-020) - Out-of-bounds read in ntlm_decode_field (GHSL-2023-021) These are lall basically the same identical error replicated in 3 separate functions. Fixes defects GHSL-2023-019, GHSL-2023-020, GHSL-2023-021 found by the GitHub Security Lab team via oss-fuzz. A 32-bit integer overflow condition can lead to incorrect checks of consistency of length of internal buffers. This leads to a DoS as the service may end up reading from unmapped memory and crashing. Although most applications will error out before accepting a singe input buffer of 4GB in lenght this could theoretically happen, and therefore we fix it. Fixes CVE-2023-25563 Signed-off-by: Simo Sorce <simo@redhat.com>
1 parent 0f4889a commit 97c62c6

File tree

1 file changed

+3
-1
lines changed

1 file changed

+3
-1
lines changed

src/ntlm.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -205,7 +205,6 @@ static int ntlm_str_convert(iconv_t cd,
205205
return 0;
206206
}
207207

208-
209208
uint8_t ntlmssp_sig[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
210209

211210
static void ntlm_encode_header(struct wire_msg_hdr *hdr, uint32_t msg_type)
@@ -256,6 +255,7 @@ static int ntlm_decode_oem_str(struct wire_field_hdr *str_hdr,
256255
str_offs = le32toh(str_hdr->offset);
257256
if ((str_offs < payload_offs) ||
258257
(str_offs > buffer->length) ||
258+
(UINT32_MAX - str_offs < str_len) ||
259259
(str_offs + str_len > buffer->length)) {
260260
return ERR_DECODE;
261261
}
@@ -308,6 +308,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
308308
str_offs = le32toh(str_hdr->offset);
309309
if ((str_offs < payload_offs) ||
310310
(str_offs > buffer->length) ||
311+
(UINT32_MAX - str_offs < str_len) ||
311312
(str_offs + str_len > buffer->length)) {
312313
return ERR_DECODE;
313314
}
@@ -393,6 +394,7 @@ static int ntlm_decode_field(struct wire_field_hdr *hdr,
393394
offs = le32toh(hdr->offset);
394395
if ((offs < payload_offs) ||
395396
(offs > buffer->length) ||
397+
(UINT32_MAX - offs < len) ||
396398
(offs + len > buffer->length)) {
397399
return ERR_DECODE;
398400
}

0 commit comments

Comments
 (0)