Heap Corruption with large authorization header values
Greg Hudson
ghudson at mit.edu
Tue Oct 7 20:23:07 EDT 2014
[I've moderated Tim's messages through to krbdev. I don't plan to
moderate them through to kerberos; messages should go to one or the
other, not both.]
On 10/02/2014 04:25 PM, Tim Vega wrote:
> Line 1241 of src\lib\gssapi\krb5\accept_sec_context.c:
> token.value = (unsigned char *) xmalloc(token.length);
>
> This allocates the token which is then deallocated here:
>
> Line 1790 of src\lib\gssapi\spnego\spnego_mech.c
> gss_release_buffer(&tmpmin, &mechtok_out);
>
> Changing xmalloc to gssalloc_malloc solves our issue.
I assume you're using a build from source on Windows?
I agree with the description of the bug; this malloc call should have
been converted when we introduced gssalloc_malloc. The bug can't
manifest in 1.10.x (and thus in the most recent Kerberos for Windows
release) because it's masked by #1445, which was fixed in 1.12:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=1445
I will go ahead and submit a fix for this; no need to send a separate
bug report.
More information about the krbdev
mailing list