From: Jeremy Harris Date: Thu, 11 May 2023 20:08:08 +0000 (+0100) Subject: Auths: fix possible OOB read in SPA authenticator. Bug 3001 X-Git-Tag: exim-4.96.1~1 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/ccf9816f54fb04ab5508eb8c7f00b08bc3531297 Auths: fix possible OOB read in SPA authenticator. Bug 3001 (cherry picked from commit 04107e98d58efb69f7e2d7b81176e5374c7098a3) --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 97987f014..e1402eae0 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -199,6 +199,9 @@ JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could be triggered by externally-controlled input. Found by Trend Micro. +JH/42 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could + be triggered by externally-controlled input. Found by Trend Micro. + Exim version 4.96 ----------------- diff --git a/src/src/auths/auth-spa.c b/src/src/auths/auth-spa.c index 27e95805b..bb3d327d1 100644 --- a/src/src/auths/auth-spa.c +++ b/src/src/auths/auth-spa.c @@ -1254,15 +1254,10 @@ spa_bytes_add(ptr, header, b, len*2); \ } -#define GetUnicodeString(structPtr, header) \ -unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) -#define GetString(structPtr, header) \ -toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) - #ifdef notdef #define DumpBuffer(fp, structPtr, header) \ -dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) + dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) static void @@ -1326,8 +1321,33 @@ buf[len] = 0; return buf; } +static inline uschar * +get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr) +{ +int off = IVAL(&hdr->offset, 0); +int len = SVAL(&hdr->len, 0); +return off + len < sizeof(SPAAuthChallenge) + ? US unicodeToString(CS challenge + off, len/2) : US""; +} + +static inline uschar * +get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) +{ +int off = IVAL(&hdr->offset, 0); +int len = SVAL(&hdr->len, 0); +return off + len < sizeof(SPAAuthChallenge) + ? US toString(CS challenge + off, len) : US""; +} + #ifdef notdef +#define GetUnicodeString(structPtr, header) \ + unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) + +#define GetString(structPtr, header) \ + toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) + + void dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request) { @@ -1497,8 +1517,8 @@ if (p) } else domain = d = string_copy(cf & 0x1 - ? CUS GetUnicodeString(challenge, uDomain) - : CUS GetString(challenge, uDomain)); + ? CUS get_challenge_unistr(challenge, &challenge->uDomain) + : CUS get_challenge_str(challenge, &challenge->uDomain)); spa_smb_encrypt(password, challenge->challengeData, lmRespData); spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);