Sanity checking asn.1_encode patch

Greg Hudson ghudson at mit.edu
Thu Mar 18 20:05:38 EDT 2021


On 3/18/21 4:53 PM, Tony Rodriguez wrote:
> I am new to kerberos.   How can I sanity test that recursion within 
> asn.1_encode stops after 31? Does kerberos have any command line 
> utilities to test asn.1_encode?  If so, what are they and which 
> parameters must I pass? If not, does someone have example code that I 
> can compile to test the recursion level logic works as expected?

I've attached the test program I wrote to verify the problem.  Run it
with a numeric buffer size argument.  With the unpatched code I was able
to produce a stack overflow with a buffer size of 90000.
-------------- next part --------------
#include <krb5.h>
#include <assert.h>
#include <stdlib.h>

krb5_error_code
decode_krb5_ap_req(const krb5_data *output, krb5_ap_req **rep);

int main(int argc, char **argv)
{
    char *buf;
    size_t i, len = atoi(argv[1]);
    krb5_data d;

    assert(len % 2 == 0);
    buf = malloc(len);
    for (i = 0; i < len; i += 2) {
	buf[i] = 0x6e;
	buf[i + 1] = 0x80; /* indefinite length */
    }
    d.data = buf;
    d.length = len;
#ifdef HEIMDAL
    krb5_ap_req r;
    krb5_decode_ap_req(NULL, &d, &r);
#else
    krb5_ap_req *r;
    decode_krb5_ap_req(&d, &r);
#endif
    return 0;
}


More information about the Kerberos mailing list