From 04107e98d58efb69f7e2d7b81176e5374c7098a3 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 11 May 2023 21:08:08 +0100 Subject: [PATCH] Auths: fix possible OOB read in SPA authenticator. Bug 3001 --- doc/doc-txt/ChangeLog | 3 +++ src/src/auths/auth-spa.c | 36 ++++++++++++++++++++++++++++-------- 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 95377514f..406c4b0c4 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -199,6 +199,9 @@ JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could be triggered by externally-controlled input. Found by Trend Micro. +JH/42 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could + be triggered by externally-controlled input. Found by Trend Micro. + Exim version 4.96 ----------------- diff --git a/src/src/auths/auth-spa.c b/src/src/auths/auth-spa.c index d7a12aa23..8e3146b35 100644 --- a/src/src/auths/auth-spa.c +++ b/src/src/auths/auth-spa.c @@ -1255,15 +1255,10 @@ spa_bytes_add(ptr, header, b, len*2); \ } -#define GetUnicodeString(structPtr, header) \ -unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) -#define GetString(structPtr, header) \ -toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) - #ifdef notdef #define DumpBuffer(fp, structPtr, header) \ -dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) + dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) static void @@ -1327,8 +1322,33 @@ buf[len] = 0; return buf; } +static inline uschar * +get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr) +{ +int off = IVAL(&hdr->offset, 0); +int len = SVAL(&hdr->len, 0); +return off + len < sizeof(SPAAuthChallenge) + ? US unicodeToString(CS challenge + off, len/2) : US""; +} + +static inline uschar * +get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) +{ +int off = IVAL(&hdr->offset, 0); +int len = SVAL(&hdr->len, 0); +return off + len < sizeof(SPAAuthChallenge) + ? US toString(CS challenge + off, len) : US""; +} + #ifdef notdef +#define GetUnicodeString(structPtr, header) \ + unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) + +#define GetString(structPtr, header) \ + toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) + + void dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request) { @@ -1498,8 +1518,8 @@ if (p) } else domain = d = string_copy(cf & 0x1 - ? CUS GetUnicodeString(challenge, uDomain) - : CUS GetString(challenge, uDomain)); + ? CUS get_challenge_unistr(challenge, &challenge->uDomain) + : CUS get_challenge_str(challenge, &challenge->uDomain)); spa_smb_encrypt(password, challenge->challengeData, lmRespData); spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData); -- 2.30.2