-m 13100 Fix overflow in input hash parsing

2024-11-23 08:38:09 +00:00 · 2016-03-02 10:31:54 +01:00 · 2016-03-02 10:31:54 +01:00 · 9811a21098
commit 9811a21098
parent 3fc7620dec
1 changed files with 3 additions and 3 deletions
--- a/src/shared.c
+++ b/src/shared.c
@ -18832,8 +18832,10 @@ int krb5tgs_parse_hash (char *input_buf, uint input_len, hash_t *hash_buf)

  char *edata_ptr = (char *) krb5tgs->edata2;

+  krb5tgs->edata2_len = (data_len - 32) / 2 ;
+
  /* skip '$' */
-  for (uint i = 16 * 2 + 1; i < input_len; i += 2)
+  for (uint i = 16 * 2 + 1; i < (krb5tgs->edata2_len * 2) + (16 * 2 + 1); i += 2)
  {
    const char p0 = data_pos[i + 0];
    const char p1 = data_pos[i + 1];
@ -18844,8 +18846,6 @@ int krb5tgs_parse_hash (char *input_buf, uint input_len, hash_t *hash_buf)
 /* this is needed for hmac_md5 */
  *edata_ptr++ = 0x80;

-  krb5tgs->edata2_len = (data_len - 32) / 2 ;
-
  salt->salt_buf[0] = krb5tgs->checksum[0];
  salt->salt_buf[1] = krb5tgs->checksum[1];
  salt->salt_buf[2] = krb5tgs->checksum[2];