Blame SOURCES/squid-5.5-CVE-2022-41318.patch

815ff2
commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4)
815ff2
Author: Amos Jeffries <yadij@users.noreply.github.com>
815ff2
Date:   2022-08-09 23:34:54 +0000
815ff2
815ff2
    Bug 3193 pt2: NTLM decoder truncating strings (#1114)
815ff2
    
815ff2
    The initial bug fix overlooked large 'offset' causing integer
815ff2
    wrap to extract a too-short length string.
815ff2
    
815ff2
    Improve debugs and checks sequence to clarify cases and ensure
815ff2
    that all are handled correctly.
815ff2
815ff2
diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
815ff2
index 5d9637290..f00fd51f8 100644
815ff2
--- a/lib/ntlmauth/ntlmauth.cc
815ff2
+++ b/lib/ntlmauth/ntlmauth.cc
815ff2
@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
815ff2
     int32_t o = le32toh(str->offset);
815ff2
     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
815ff2
 
815ff2
-    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
815ff2
-        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
815ff2
+    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
815ff2
+        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
815ff2
         return rv;
815ff2
     }
815ff2
+    else if (o <= 0 || o > packet_size) {
815ff2
+        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
815ff2
+        return rv;
815ff2
+    }
815ff2
+    else if (l > packet_size - o) {
815ff2
+        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
815ff2
+        return rv;
815ff2
+    }
815ff2
+
815ff2
     rv.str = (char *)packet + o;
815ff2
     rv.l = 0;
815ff2
     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {