1 files changed, 75 insertions, 0 deletions

diff --git a/debian/patches/75_74-Auths-fix-possible-OOB-read-in-SPA-authenticator.-Bu.patch b/debian/patches/75_74-Auths-fix-possible-OOB-read-in-SPA-authenticator.-Bu.patch
new file mode 100644
index 0000000..d4e0eb6
--- /dev/null
+++ b/debian/patches/75_74-Auths-fix-possible-OOB-read-in-SPA-authenticator.-Bu.patch
@@ -0,0 +1,75 @@
+From 04107e98d58efb69f7e2d7b81176e5374c7098a3 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Thu, 11 May 2023 21:08:08 +0100
+Subject: [PATCH 4/4] Auths: fix possible OOB read in SPA authenticator.  Bug
+ 3001
+
+---
+ doc/doc-txt/ChangeLog    |  3 +++
+ src/src/auths/auth-spa.c | 36 ++++++++++++++++++++++++++++--------
+ 2 files changed, 31 insertions(+), 8 deletions(-)
+
+--- a/src/auths/auth-spa.c
++++ b/src/auths/auth-spa.c
+@@ -1254,15 +1254,10 @@ spa_bytes_add(ptr, header, b, len*2); \
+ }
+ 
+ 
+-#define GetUnicodeString(structPtr, header) \
+-unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
+-#define GetString(structPtr, header) \
+-toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
+-
+ #ifdef notdef
+ 
+ #define DumpBuffer(fp, structPtr, header) \
+-dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
++ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
+ 
+ 
+ static void
+@@ -1326,8 +1321,33 @@ buf[len] = 0;
+ return buf;
+ }
+ 
++static inline uschar *
++get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
++{
++int off = IVAL(&hdr->offset, 0);
++int len = SVAL(&hdr->len, 0);
++return off + len < sizeof(SPAAuthChallenge)
++  ? US unicodeToString(CS challenge + off, len/2) : US"";
++}
++
++static inline uschar *
++get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
++{
++int off = IVAL(&hdr->offset, 0);
++int len = SVAL(&hdr->len, 0);
++return off + len < sizeof(SPAAuthChallenge)
++  ? US toString(CS challenge + off, len) : US"";
++}
++
+ #ifdef notdef
+ 
++#define GetUnicodeString(structPtr, header) \
++ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
++
++#define GetString(structPtr, header) \
++ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
++
++
+ void
+ dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request)
+ {
+@@ -1497,8 +1517,8 @@ if (p)
+   }
+ 
+ else domain = d = string_copy(cf & 0x1
+-  ? CUS GetUnicodeString(challenge, uDomain)
+-  : CUS GetString(challenge, uDomain));
++  ? CUS get_challenge_unistr(challenge, &challenge->uDomain)
++  : CUS get_challenge_str(challenge, &challenge->uDomain));
+ 
+ spa_smb_encrypt(password, challenge->challengeData, lmRespData);
+ spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);