| 1 | From 5a41d2c2cd2b28a0d1aea21edeaea02bd6db4984 Mon Sep 17 00:00:00 2001 |
| 2 | From: Jeremy Harris <jgh146exb@wizmail.org> |
| 3 | Date: Wed, 6 May 2020 22:31:25 +0100 |
| 4 | Subject: [PATCH 2/2] Rework SPA fix to avoid overflows. Bug 2571 |
| 5 | |
| 6 | Amends: 6a7edbf660 |
| 7 | (cherry picked from commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0) |
| 8 | --- |
| 9 | src/auths/spa.c | 13 +++++++++---- |
| 10 | 1 file changed, 9 insertions(+), 4 deletions(-) |
| 11 | |
| 12 | diff --git a/src/auths/spa.c b/src/auths/spa.c |
| 13 | index ed9aff23b..4e3aef808 100644 |
| 14 | --- a/src/auths/spa.c |
| 15 | +++ b/src/auths/spa.c |
| 16 | @@ -140,6 +140,7 @@ SPAAuthResponse response; |
| 17 | SPAAuthResponse *responseptr = &response; |
| 18 | uschar msgbuf[2048]; |
| 19 | uschar *clearpass, *s; |
| 20 | +unsigned off; |
| 21 | |
| 22 | /* send a 334, MS Exchange style, and grab the client's request, |
| 23 | unless we already have it via an initial response. */ |
| 24 | @@ -194,10 +195,13 @@ that causes failure if the size of msgbuf is exceeded. ****/ |
| 25 | |
| 26 | { |
| 27 | int i; |
| 28 | - char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0); |
| 29 | + char * p; |
| 30 | int len = SVAL(&responseptr->uUser.len,0)/2; |
| 31 | |
| 32 | - if (p + len*2 >= CS (responseptr+1)) |
| 33 | + if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse) |
| 34 | + || len >= sizeof(responseptr->buffer)/2 |
| 35 | + || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1) |
| 36 | + ) |
| 37 | { |
| 38 | DEBUG(D_auth) |
| 39 | debug_printf("auth_spa_server(): bad uUser spec in response\n"); |
| 40 | @@ -252,13 +256,14 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData); |
| 41 | |
| 42 | /* compare NT hash (LM may not be available) */ |
| 43 | |
| 44 | -s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0); |
| 45 | -if (s + 24 >= US (responseptr+1)) |
| 46 | +off = IVAL(&responseptr->ntResponse.offset,0); |
| 47 | +if (off >= sizeof(SPAAuthResponse) - 24) |
| 48 | { |
| 49 | DEBUG(D_auth) |
| 50 | debug_printf("auth_spa_server(): bad ntRespData spec in response\n"); |
| 51 | return FAIL; |
| 52 | } |
| 53 | +s = (US responseptr) + off; |
| 54 | |
| 55 | if (memcmp(ntRespData, s, 24) == 0) |
| 56 | return auth_check_serv_cond(ablock); /* success. we have a winner. */ |
| 57 | -- |
| 58 | 2.26.2 |
| 59 | |