krb5 commit: Do proper length decoding in SPNEGO gss_get_oid()
Greg Hudson
ghudson at mit.edu
Wed Sep 9 17:02:47 EDT 2020
https://github.com/krb5/krb5/commit/f712fa5a94438096d3c2449babe4aca9c17d7feb
commit f712fa5a94438096d3c2449babe4aca9c17d7feb
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Jul 28 12:51:06 2020 -0400
Do proper length decoding in SPNEGO gss_get_oid()
When reading an OID in a SPNEGO token, use gssint_get_der_length()
rather than assuming the length fits in one byte. Although OID
lengths greater than 127 are unlikely, some NetApp products have been
observed to incorrectly encode the length in multiple bytes. Reported
by Richard Sharpe.
ticket: 8932 (new)
src/lib/gssapi/spnego/spnego_mech.c | 13 ++++++-------
1 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 68e3897..450145d 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3338,20 +3338,19 @@ get_mech_oid(OM_uint32 *minor_status, unsigned char **buff_in, size_t length)
OM_uint32 status;
gss_OID_desc toid;
gss_OID mech_out = NULL;
- unsigned char *start, *end;
+ unsigned int bytes;
+ int oid_length;
if (length < 1 || **buff_in != MECH_OID)
return (NULL);
-
- start = *buff_in;
- end = start + length;
-
(*buff_in)++;
- toid.length = *(*buff_in)++;
+ length--;
- if ((*buff_in + toid.length) > end)
+ oid_length = gssint_get_der_length(buff_in, length, &bytes);
+ if (oid_length < 0 || length - bytes < (size_t)oid_length)
return (NULL);
+ toid.length = oid_length;
toid.elements = *buff_in;
*buff_in += toid.length;
More information about the cvs-krb5
mailing list