smb: fix panic in ntlmssp when unmarshaling (#333)

* smb: panic in ntlmssp when unmarshaling There are two errors here: 1. The offsets to the ParentBuf are not checked to be in-bounds 2. Types are uint64, but subtracted and compared to > 0. This allows underflow during subtraction of the size. * smb: check offset/length/size are positive after cast
2021-11-17 16:30:20 -05:00 · 2021-11-17 16:30:20 -05:00 · 4a6f6b51a3
parent a1fba22c6b
commit 4a6f6b51a3
1 changed files with 16 additions and 4 deletions
--- a/lib/smb/ntlmssp/ntlmssp.go
+++ b/lib/smb/ntlmssp/ntlmssp.go
@ -172,15 +172,27 @@ func (s *AvPairSlice) UnmarshalBinary(buf []byte, meta *encoder.Metadata) error
 	if !ok {
 		return errors.New(fmt.Sprintf("Cannot unmarshal field '%s'. Missing offset\n", meta.CurrField))
 	}
-	for i := l; i > 0; {
+	offset := int64(o)
+	length := int64(l)
+	if offset < 0 || length < 0 {
+		return fmt.Errorf("AvPairSlice.UnmarshalBinary: offset (%d) and length (%d) should be positive",
+			offset, length)
+	}
+	if offset+length > int64(len(meta.ParentBuf)) {
+		return fmt.Errorf("AvPairSlice.UnmarshalBinary: ParentBuf overrun")
+	}
+	for i := length; i > 0; {
 		var avPair AvPair
-		err := encoder.Unmarshal(meta.ParentBuf[o:o+i], &avPair)
+		err := encoder.Unmarshal(meta.ParentBuf[offset:offset+i], &avPair)
 		if err != nil {
 			return err
 		}
 		slice = append(slice, avPair)
-		size := avPair.Size()
-		o += size
+		size := int64(avPair.Size())
+		if size < 0 {
+			return fmt.Errorf("AvPairSlice.UnmarshalBinary: Invalid avPair.Size() %d", size)
+		}
+		offset += size
 		i -= size
 	}
 	*s = slice