krb5 commit: Do proper length decoding in SPNEGO gss_get_oid()

Greg Hudson ghudson at mit.edu
Wed Sep 9 17:02:47 EDT 2020


https://github.com/krb5/krb5/commit/f712fa5a94438096d3c2449babe4aca9c17d7feb
commit f712fa5a94438096d3c2449babe4aca9c17d7feb
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Jul 28 12:51:06 2020 -0400

    Do proper length decoding in SPNEGO gss_get_oid()
    
    When reading an OID in a SPNEGO token, use gssint_get_der_length()
    rather than assuming the length fits in one byte.  Although OID
    lengths greater than 127 are unlikely, some NetApp products have been
    observed to incorrectly encode the length in multiple bytes.  Reported
    by Richard Sharpe.
    
    ticket: 8932 (new)

 src/lib/gssapi/spnego/spnego_mech.c |   13 ++++++-------
 1 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 68e3897..450145d 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3338,20 +3338,19 @@ get_mech_oid(OM_uint32 *minor_status, unsigned char **buff_in, size_t length)
 	OM_uint32	status;
 	gss_OID_desc 	toid;
 	gss_OID		mech_out = NULL;
-	unsigned char		*start, *end;
+	unsigned int	bytes;
+	int		oid_length;
 
 	if (length < 1 || **buff_in != MECH_OID)
 		return (NULL);
-
-	start = *buff_in;
-	end = start + length;
-
 	(*buff_in)++;
-	toid.length = *(*buff_in)++;
+	length--;
 
-	if ((*buff_in + toid.length) > end)
+	oid_length = gssint_get_der_length(buff_in, length, &bytes);
+	if (oid_length < 0 || length - bytes < (size_t)oid_length)
 		return (NULL);
 
+	toid.length = oid_length;
 	toid.elements = *buff_in;
 	*buff_in += toid.length;
 


More information about the cvs-krb5 mailing list