GHSL-2023-011: Out-of-bounds read when decoding

simo5 · simo5 · commit 025fbb756d44 · 2023-02-12T11:06:10.000-05:00
Out-of-bounds read when decoding target information (GHSL-2023-011)

Fixes defect GHSL-2023-011 found by the GitHub Security Lab team via
oss-fuzz.

The lenght of the av_pair is not checked properly for two of the
elements. In case the lenght is shorter than requires this may cause an
out-of-bound read that either reads garbage or may cause a crash by
reading unmapped memory.

This can be exploited to crash the service causing a DoS.

Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/src/ntlm.c b/src/ntlm.c
@@ -685,11 +685,19 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
             break;
         case MSV_AV_TIMESTAMP:
             if (!av_timestamp) continue;
+            if (av_len < sizeof(timestamp)) {
+                ret = ERR_DECODE;
+                goto done;
+            }
             memcpy(&timestamp, av_pair->value, sizeof(timestamp));
             timestamp = le64toh(timestamp);
             break;
         case MSV_AV_FLAGS:
             if (!av_flags) continue;
+            if (av_len < sizeof(flags)) {
+                ret = ERR_DECODE;
+                goto done;
+            }
             memcpy(&flags, av_pair->value, sizeof(flags));
             flags = le32toh(flags);
             break;
