GHSL-2023-013: Memory corruption decoding UTF16

Memory corruption when decoding UTF16 strings (GHSL-2023-013) Fixes defect GHSL-2023-013 found by the GitHub Security Lab team via oss-fuzz. The variable outlen was not initialized and could cause writing a zero to an arbitrary place in memory if ntlm_str_convert() were to fail, which would leave outlen uninitialized. This can lead to a DoS if the write hits unmapped memory or randomly corrupting a byte in the application memory space. Make sure to zero out only if ntlm_str_convert() succeeds, but for good measure also initialize outlen to 0. Fixes CVE-2023-25564 Signed-off-by: Simo Sorce <simo@redhat.com>
gssapi · Feb 12, 2023 · c753000 · c753000
1 parent 97c62c6
commit c753000
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/src/ntlm.c b/src/ntlm.c
@@ -299,7 +299,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
     char *in, *out = NULL;
     uint16_t str_len;
     uint32_t str_offs;
-    size_t outlen;
+    size_t outlen = 0;
     int ret = 0;
 
     str_len = le16toh(str_hdr->len);
@@ -320,13 +320,14 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
 
     ret = ntlm_str_convert(ctx->to_oem, in, out, str_len, &outlen);
 
-    /* make sure to terminate output string */
-    out[outlen] = '\0';
-
 done:
     if (ret) {
         safefree(out);
+    } else {
+        /* make sure to terminate output string */
+        out[outlen] = '\0';
     }
+
     *str = out;
     return ret;
 }