[PATCH] Integer overflow in asn1_read_GeneralString

Anthony Liguori anthony at codemonkey.ws
Wed Feb 11 05:02:41 GMT 2004

I did an audit of the asn1 code after hearing news of the new MS asn1 
vunerabilities.  Fortunately it does not appear we're vunerable any 
where (someone else should check of course).

However, we do have an integer overflow in the GeneralString code.  
However, it's only exploitable the general string is being parsed at the 
very beginning of the packet.  Right now, the only place we parse 
GeneralStrings is in the libsmb/spnego.c code and that's definitely not 
at the beginning of the packet.

Nonetheless, I've included a patch to check for the overflow so that 
this doesn't bite us in the future.

Anthony Liguori

-------------- next part --------------
Index: libsmb/asn1.c
RCS file: /cvsroot/samba/source/libsmb/asn1.c,v
retrieving revision
diff -u -r1.11.2.5 asn1.c
--- libsmb/asn1.c	23 Jul 2003 12:33:57 -0000
+++ libsmb/asn1.c	11 Feb 2004 05:03:44 -0000
@@ -365,6 +365,13 @@
 	int len;
 	if (!asn1_start_tag(data, ASN1_GENERAL_STRING)) return False;
 	len = asn1_tag_remaining(data);
+	// check for integer overflow
+	if ((len + 1) == 0) {
+		data->has_error = True;
+		return False;
+	}
 	*s = malloc(len+1);
 	if (! *s) {
 		data->has_error = True;

More information about the samba-technical mailing list