[30851] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Do proper length decoding in SPNEGO gss_get_oid()

daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Sep 9 17:03:10 2020

Date: Wed, 9 Sep 2020 17:02:47 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202009092102.089L2lEd003083@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/f712fa5a94438096d3c2449babe4aca9c17d7feb
commit f712fa5a94438096d3c2449babe4aca9c17d7feb
Author: Greg Hudson <ghudson@mit.edu>
Date:   Tue Jul 28 12:51:06 2020 -0400

    Do proper length decoding in SPNEGO gss_get_oid()
    
    When reading an OID in a SPNEGO token, use gssint_get_der_length()
    rather than assuming the length fits in one byte.  Although OID
    lengths greater than 127 are unlikely, some NetApp products have been
    observed to incorrectly encode the length in multiple bytes.  Reported
    by Richard Sharpe.
    
    ticket: 8932 (new)

 src/lib/gssapi/spnego/spnego_mech.c |   13 ++++++-------
 1 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 68e3897..450145d 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3338,20 +3338,19 @@ get_mech_oid(OM_uint32 *minor_status, unsigned char **buff_in, size_t length)
 	OM_uint32	status;
 	gss_OID_desc 	toid;
 	gss_OID		mech_out = NULL;
-	unsigned char		*start, *end;
+	unsigned int	bytes;
+	int		oid_length;
 
 	if (length < 1 || **buff_in != MECH_OID)
 		return (NULL);
-
-	start = *buff_in;
-	end = start + length;
-
 	(*buff_in)++;
-	toid.length = *(*buff_in)++;
+	length--;
 
-	if ((*buff_in + toid.length) > end)
+	oid_length = gssint_get_der_length(buff_in, length, &bytes);
+	if (oid_length < 0 || length - bytes < (size_t)oid_length)
 		return (NULL);
 
+	toid.length = oid_length;
 	toid.elements = *buff_in;
 	*buff_in += toid.length;
 
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post