diff options
| author | Greg Hudson <ghudson@mit.edu> | 2017-04-14 21:41:20 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2017-07-17 17:46:07 -0400 |
| commit | 86512c5713a6e2dc39c95b30c1299a484d30d58e (patch) | |
| tree | c29bb372269143968f03648d14fd4a84f435c490 | |
| parent | ab8ab286f9c27ea34fb569dcb4472896abbf96d8 (diff) | |
| download | krb5-86512c5713a6e2dc39c95b30c1299a484d30d58e.zip krb5-86512c5713a6e2dc39c95b30c1299a484d30d58e.tar.gz krb5-86512c5713a6e2dc39c95b30c1299a484d30d58e.tar.bz2 | |
Make RC4 string-to-key more robust
krb5int_utf8cs_to_ucs2les() can read slightly beyond the end of the
input buffer if the buffer ends with an invalid UTF-8 sequence. When
computing the RC4 string-to-key result, make a zero-terminated copy of
the input string and use krb5int_utf8s_to_ucs2les() instead.
(cherry picked from commit b8814745049b5f401e3ae39a81dc1e14598ae48c)
ticket: 8576
version_fixed: 1.15.2
| -rw-r--r-- | src/lib/crypto/krb/s2k_rc4.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/lib/crypto/krb/s2k_rc4.c b/src/lib/crypto/krb/s2k_rc4.c index 49ad89d..7286637 100644 --- a/src/lib/crypto/krb/s2k_rc4.c +++ b/src/lib/crypto/krb/s2k_rc4.c @@ -10,6 +10,7 @@ krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp, krb5_error_code err = 0; krb5_crypto_iov iov; krb5_data hash_out; + char *utf8; unsigned char *copystr; size_t copystrlen; @@ -20,8 +21,11 @@ krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp, return (KRB5_BAD_MSIZE); /* We ignore salt per the Microsoft spec. */ - err = krb5int_utf8cs_to_ucs2les(string->data, string->length, ©str, - ©strlen); + utf8 = k5memdup0(string->data, string->length, &err); + if (utf8 == NULL) + return err; + err = krb5int_utf8s_to_ucs2les(utf8, ©str, ©strlen); + free(utf8); if (err) return err; |