[exim-dev] [Bug 2571] Out-of-bound buffer read leads to Aut…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: admin
Datum:  
To: exim-dev
Betreff: [exim-dev] [Bug 2571] Out-of-bound buffer read leads to Authentication Bypass in Exim SPA authentication method
https://bugs.exim.org/show_bug.cgi?id=2571

--- Comment #3 from Git Commit <git@???> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0

commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Wed May 6 22:31:25 2020 +0100
Commit:     Jeremy Harris <jgh146exb@???>
CommitDate: Wed May 6 22:31:25 2020 +0100


    Rework SPA fix to avoid overflows.  Bug 2571


    Amends: 57aa14b216
---
 src/src/auths/spa.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)


diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
index f83d114..ff90d33 100644
--- a/src/src/auths/spa.c
+++ b/src/src/auths/spa.c
@@ -141,6 +141,7 @@ SPAAuthResponse response;
SPAAuthResponse *responseptr = &response;
uschar msgbuf[2048];
uschar *clearpass, *s;
+unsigned off;

/* send a 334, MS Exchange style, and grab the client's request,
unless we already have it via an initial response. */
@@ -187,10 +188,13 @@ that causes failure if the size of msgbuf is exceeded.
****/

{
int i;
- char * p = (CS responseptr) + IVAL(&responseptr->uUser.offset,0);
+ char * p;
int len = SVAL(&responseptr->uUser.len,0)/2;

-  if (p + len*2 >= CS (responseptr+1))
+  if (  (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
+     || len >= sizeof(responseptr->buffer)/2
+     || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
+     )
     {
     DEBUG(D_auth)
       debug_printf("auth_spa_server(): bad uUser spec in response\n");
@@ -242,13 +246,14 @@ spa_smb_nt_encrypt(clearpass, challenge.challengeData,
ntRespData);


/* compare NT hash (LM may not be available) */

-s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
-if (s + 24 >= US (responseptr+1))
+off = IVAL(&responseptr->ntResponse.offset,0);
+if (off >= sizeof(SPAAuthResponse) - 24)
   {
   DEBUG(D_auth)
     debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
   return FAIL;
   }
+s = (US responseptr) + off;


 if (memcmp(ntRespData, s, 24) == 0)
   return auth_check_serv_cond(ablock);    /* success. we have a winner. */


--
You are receiving this mail because:
You are on the CC list for the bug.