[PATCH] Integer overflow in asn1_read_GeneralString
Anthony Liguori
anthony at codemonkey.ws
Wed Feb 11 05:02:41 GMT 2004
I did an audit of the asn1 code after hearing news of the new MS asn1
vunerabilities. Fortunately it does not appear we're vunerable any
where (someone else should check of course).
However, we do have an integer overflow in the GeneralString code.
However, it's only exploitable the general string is being parsed at the
very beginning of the packet. Right now, the only place we parse
GeneralStrings is in the libsmb/spnego.c code and that's definitely not
at the beginning of the packet.
Nonetheless, I've included a patch to check for the overflow so that
this doesn't bite us in the future.
Regards,
Anthony Liguori
-------------- next part --------------
Index: libsmb/asn1.c
===================================================================
RCS file: /cvsroot/samba/source/libsmb/asn1.c,v
retrieving revision 1.11.2.5
diff -u -r1.11.2.5 asn1.c
--- libsmb/asn1.c 23 Jul 2003 12:33:57 -0000 1.11.2.5
+++ libsmb/asn1.c 11 Feb 2004 05:03:44 -0000
@@ -365,6 +365,13 @@
int len;
if (!asn1_start_tag(data, ASN1_GENERAL_STRING)) return False;
len = asn1_tag_remaining(data);
+
+ // check for integer overflow
+ if ((len + 1) == 0) {
+ data->has_error = True;
+ return False;
+ }
+
*s = malloc(len+1);
if (! *s) {
data->has_error = True;
More information about the samba-technical
mailing list