[Pkg-samba-maint] [samba] 05/07: CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()

[Mathieu Parent]

This is an automated email from the git hooks/post-receive script.

sathieu pushed a commit to branch master
in repository samba.

commit 4a9cd3f771683f62c86b19a3d0d50cb0ff77f138
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 22 17:08:46 2016 +0100

    CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
    
    aes based checksums can only be checked with the
    corresponding aes based keytype.
    
    Otherwise we may trigger an undefined code path
    deep in the kerberos libraries, which can leed to
    segmentation faults.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
 	krb5_boolean checksum_valid = false;
 	krb5_data input;
 
+	switch (sig->type) {
+	case CKSUMTYPE_HMAC_MD5:
+		/* ignores the key type */
+		break;
+	case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+			return EINVAL;
+		}
+		/* ok */
+		break;
+	case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+			return EINVAL;
+		}
+		/* ok */
+		break;
+	default:
+		DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+			(int)sig->type));
+		return EINVAL;
+	}
+
 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
 	cksum.cksumtype	= (krb5_cksumtype)sig->type;
 	cksum.checksum.length	= sig->signature.length;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git