1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
From 04107e98d58efb69f7e2d7b81176e5374c7098a3 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 11 May 2023 21:08:08 +0100
Subject: [PATCH 4/4] Auths: fix possible OOB read in SPA authenticator. Bug
3001
---
doc/doc-txt/ChangeLog | 3 +++
src/src/auths/auth-spa.c | 36 ++++++++++++++++++++++++++++--------
2 files changed, 31 insertions(+), 8 deletions(-)
--- a/src/auths/auth-spa.c
+++ b/src/auths/auth-spa.c
@@ -1254,15 +1254,10 @@ spa_bytes_add(ptr, header, b, len*2); \
}
-#define GetUnicodeString(structPtr, header) \
-unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
-#define GetString(structPtr, header) \
-toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
-
#ifdef notdef
#define DumpBuffer(fp, structPtr, header) \
-dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
+ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
static void
@@ -1326,8 +1321,33 @@ buf[len] = 0;
return buf;
}
+static inline uschar *
+get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
+{
+int off = IVAL(&hdr->offset, 0);
+int len = SVAL(&hdr->len, 0);
+return off + len < sizeof(SPAAuthChallenge)
+ ? US unicodeToString(CS challenge + off, len/2) : US"";
+}
+
+static inline uschar *
+get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
+{
+int off = IVAL(&hdr->offset, 0);
+int len = SVAL(&hdr->len, 0);
+return off + len < sizeof(SPAAuthChallenge)
+ ? US toString(CS challenge + off, len) : US"";
+}
+
#ifdef notdef
+#define GetUnicodeString(structPtr, header) \
+ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
+
+#define GetString(structPtr, header) \
+ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
+
+
void
dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request)
{
@@ -1497,8 +1517,8 @@ if (p)
}
else domain = d = string_copy(cf & 0x1
- ? CUS GetUnicodeString(challenge, uDomain)
- : CUS GetString(challenge, uDomain));
+ ? CUS get_challenge_unistr(challenge, &challenge->uDomain)
+ : CUS get_challenge_str(challenge, &challenge->uDomain));
spa_smb_encrypt(password, challenge->challengeData, lmRespData);
spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);
|
