Heap Corruption with large authorization header values
Tim Vega
tvega at tableausoftware.com
Thu Oct 2 16:25:46 EDT 2014
First a clarification, this is krb5-1.12.1, not 1.12.2
We've made some progress and found that what's happening is a memory allocation/free function mismatch:
Line 1241 of src\lib\gssapi\krb5\accept_sec_context.c:
token.value = (unsigned char *) xmalloc(token.length);
This allocates the token which is then deallocated here:
Line 1790 of src\lib\gssapi\spnego\spnego_mech.c
gss_release_buffer(&tmpmin, &mechtok_out);
Changing xmalloc to gssalloc_malloc solves our issue.
May I forward this to the bug-reports mailing list?
Tim
From: Tim Vega
Sent: Wednesday, October 01, 2014 1:19 PM
To: krbdev at mit.edu
Subject: Heap Corruption with large authorization header values
Hello,
We have mod_auth_kerb 5.4 running with krb5-1.12.2
When sending a request with a very large authorization value, 12462 characters and sample attached, the kerberos library encounters a heap corruption somewhere in a call to gss_accept_sec_context.
The data that appears to be corrupted is pointed to by the variable mechtok_out in spnego_gss_accept_sec_context in lib/gssapi/spnego/spnego_mech.c. The corruption gets detected by a call to gss_release_buffer in the cleanup routine of the same function.
Has anyone seen this before? Is this expected behavior given a large auth header?
Tim
More information about the krbdev
mailing list