GHSL-2023-011: Out-of-bounds read when decoding

Out-of-bounds read when decoding target information (GHSL-2023-011) Fixes defect GHSL-2023-011 found by the GitHub Security Lab team via oss-fuzz. The lenght of the av_pair is not checked properly for two of the elements. In case the lenght is shorter than requires this may cause an out-of-bound read that either reads garbage or may cause a crash by reading unmapped memory. This can be exploited to crash the service causing a DoS. Signed-off-by: Simo Sorce <simo@redhat.com>
gssapi · Feb 12, 2023 · 025fbb7 · 025fbb7
1 parent c16100f
commit 025fbb7
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/ntlm.c b/src/ntlm.c
@@ -685,11 +685,19 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
             break;
         case MSV_AV_TIMESTAMP:
             if (!av_timestamp) continue;
+            if (av_len < sizeof(timestamp)) {
+                ret = ERR_DECODE;
+                goto done;
+            }
             memcpy(&timestamp, av_pair->value, sizeof(timestamp));
             timestamp = le64toh(timestamp);
             break;
         case MSV_AV_FLAGS:
             if (!av_flags) continue;
+            if (av_len < sizeof(flags)) {
+                ret = ERR_DECODE;
+                goto done;
+            }
             memcpy(&flags, av_pair->value, sizeof(flags));
             flags = le32toh(flags);
             break;