From: Markus Koschany Date: Sun, 1 Oct 2023 10:38:47 +0200 Subject: CVE-2023-42114 Upstream-Bug: 3001 Originally created by Jeremy Harris. --- src/auths/auth-spa.c | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c index ae8da9c..f3b0b78 100644 --- a/src/auths/auth-spa.c +++ b/src/auths/auth-spa.c @@ -1263,15 +1263,10 @@ spa_bytes_add(ptr, header, b, len*2); \ } -#define GetUnicodeString(structPtr, header) \ -unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) -#define GetString(structPtr, header) \ -toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) - #ifdef notdef #define DumpBuffer(fp, structPtr, header) \ -dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) + dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) static void @@ -1335,8 +1330,33 @@ toString (char *p, size_t len) return buf; } +static inline uschar * +get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr) +{ +int off = IVAL(&hdr->offset, 0); +int len = SVAL(&hdr->len, 0); +return off + len < sizeof(SPAAuthChallenge) + ? US unicodeToString(CS challenge + off, len/2) : US""; +} + +static inline uschar * +get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) +{ +int off = IVAL(&hdr->offset, 0); +int len = SVAL(&hdr->len, 0); +return off + len < sizeof(SPAAuthChallenge) + ? US toString(CS challenge + off, len) : US""; +} + #ifdef notdef +#define GetUnicodeString(structPtr, header) \ + unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) + +#define GetString(structPtr, header) \ + toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) + + void dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request) { @@ -1507,8 +1527,8 @@ spa_build_auth_response (SPAAuthChallenge * challenge, } else domain = d = string_copy(cf & 0x1 - ? CUS GetUnicodeString(challenge, uDomain) - : CUS GetString(challenge, uDomain)); + ? CUS get_challenge_unistr(challenge, &challenge->uDomain) + : CUS get_challenge_str(challenge, &challenge->uDomain)); spa_smb_encrypt(password, challenge->challengeData, lmRespData); spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);