Skip to content
Permalink
Browse files Browse the repository at this point in the history
Out-of-bounds read in multiple decode functions
These were reported as:
- Out-of-bounds read in ntlm_decode_oem_str (GHSL-2023-019)
- Out-of-bounds read in ntlm_decode_u16l_str_hdr (GHSL-2023-020)
- Out-of-bounds read in ntlm_decode_field (GHSL-2023-021)

These are lall basically the same identical error replicated in 3
separate functions.

Fixes defects GHSL-2023-019, GHSL-2023-020, GHSL-2023-021 found by
the GitHub Security Lab team via oss-fuzz.

A 32-bit integer overflow condition can lead to incorrect checks of
consistency of length of internal buffers. This leads to a DoS
as the service may end up reading from unmapped memory and crashing.

Although most applications will error out before accepting a singe input
buffer of 4GB in lenght this could theoretically happen, and therefore
we fix it.

Fixes CVE-2023-25563

Signed-off-by: Simo Sorce <simo@redhat.com>
  • Loading branch information
simo5 committed Feb 12, 2023
1 parent 0f4889a commit 97c62c6
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion src/ntlm.c
Expand Up @@ -205,7 +205,6 @@ static int ntlm_str_convert(iconv_t cd,
return 0;
}


uint8_t ntlmssp_sig[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};

static void ntlm_encode_header(struct wire_msg_hdr *hdr, uint32_t msg_type)
Expand Down Expand Up @@ -256,6 +255,7 @@ static int ntlm_decode_oem_str(struct wire_field_hdr *str_hdr,
str_offs = le32toh(str_hdr->offset);
if ((str_offs < payload_offs) ||
(str_offs > buffer->length) ||
(UINT32_MAX - str_offs < str_len) ||
(str_offs + str_len > buffer->length)) {
return ERR_DECODE;
}
Expand Down Expand Up @@ -308,6 +308,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
str_offs = le32toh(str_hdr->offset);
if ((str_offs < payload_offs) ||
(str_offs > buffer->length) ||
(UINT32_MAX - str_offs < str_len) ||
(str_offs + str_len > buffer->length)) {
return ERR_DECODE;
}
Expand Down Expand Up @@ -393,6 +394,7 @@ static int ntlm_decode_field(struct wire_field_hdr *hdr,
offs = le32toh(hdr->offset);
if ((offs < payload_offs) ||
(offs > buffer->length) ||
(UINT32_MAX - offs < len) ||
(offs + len > buffer->length)) {
return ERR_DECODE;
}
Expand Down

0 comments on commit 97c62c6

Please sign in to comment.