Local buffer too small to hold opaque_auth data in svcauth_gss_validate?

Tomas Kuthan tomas.kuthan at oracle.com
Thu Sep 22 04:45:10 EDT 2016


293 static bool_t
294 svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data 
*gd, struct rpc_msg *msg)
295 {
296	struct opaque_auth	*oa;
297	gss_buffer_desc		 rpcbuf, checksum;
298	OM_uint32		 maj_stat, min_stat, qop_state;
299	u_char			 rpchdr[128];
307	oa = &msg->rm_call.cb_cred;
308	if (oa->oa_length > MAX_AUTH_BYTES)
309		return (FALSE);
311	/* 8 XDR units from the IXDR macro calls. */
312	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
313			      RNDUP(oa->oa_length)))
314		return (FALSE);

As a part of MIC verification, opaque_auth data is copied into local 
variable rpcbuf. According to a comment in src/include/gssrpc/auth.h, 
opaque_auth size can be up to MAX_AUTH_BYTES=400, but the local buffer 
only has 128 B.

This feels unnecessarily limiting. At least since CVE-2007-3999 there is 
no buffer overflow (lines 311-314), but still, it seems some valid 
messages might get rejected just because their size exceeds 128.

Is there a reason for having the local buffer be 128 B only?


More information about the krbdev mailing list