Commit | Line | Data |
---|---|---|
798bcb8a AM |
1 | From 5a41d2c2cd2b28a0d1aea21edeaea02bd6db4984 Mon Sep 17 00:00:00 2001 |
2 | From: Jeremy Harris <jgh146exb@wizmail.org> | |
3 | Date: Wed, 6 May 2020 22:31:25 +0100 | |
4 | Subject: [PATCH 2/2] Rework SPA fix to avoid overflows. Bug 2571 | |
5 | ||
6 | Amends: 6a7edbf660 | |
7 | (cherry picked from commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0) | |
8 | --- | |
9 | src/auths/spa.c | 13 +++++++++---- | |
10 | 1 file changed, 9 insertions(+), 4 deletions(-) | |
11 | ||
12 | diff --git a/src/auths/spa.c b/src/auths/spa.c | |
13 | index ed9aff23b..4e3aef808 100644 | |
14 | --- a/src/auths/spa.c | |
15 | +++ b/src/auths/spa.c | |
16 | @@ -140,6 +140,7 @@ SPAAuthResponse response; | |
17 | SPAAuthResponse *responseptr = &response; | |
18 | uschar msgbuf[2048]; | |
19 | uschar *clearpass, *s; | |
20 | +unsigned off; | |
21 | ||
22 | /* send a 334, MS Exchange style, and grab the client's request, | |
23 | unless we already have it via an initial response. */ | |
24 | @@ -194,10 +195,13 @@ that causes failure if the size of msgbuf is exceeded. ****/ | |
25 | ||
26 | { | |
27 | int i; | |
28 | - char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0); | |
29 | + char * p; | |
30 | int len = SVAL(&responseptr->uUser.len,0)/2; | |
31 | ||
32 | - if (p + len*2 >= CS (responseptr+1)) | |
33 | + if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse) | |
34 | + || len >= sizeof(responseptr->buffer)/2 | |
35 | + || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1) | |
36 | + ) | |
37 | { | |
38 | DEBUG(D_auth) | |
39 | debug_printf("auth_spa_server(): bad uUser spec in response\n"); | |
40 | @@ -252,13 +256,14 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData); | |
41 | ||
42 | /* compare NT hash (LM may not be available) */ | |
43 | ||
44 | -s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0); | |
45 | -if (s + 24 >= US (responseptr+1)) | |
46 | +off = IVAL(&responseptr->ntResponse.offset,0); | |
47 | +if (off >= sizeof(SPAAuthResponse) - 24) | |
48 | { | |
49 | DEBUG(D_auth) | |
50 | debug_printf("auth_spa_server(): bad ntRespData spec in response\n"); | |
51 | return FAIL; | |
52 | } | |
53 | +s = (US responseptr) + off; | |
54 | ||
55 | if (memcmp(ntRespData, s, 24) == 0) | |
56 | return auth_check_serv_cond(ablock); /* success. we have a winner. */ | |
57 | -- | |
58 | 2.26.2 | |
59 |