Local buffer too small to hold opaque_auth data in svcauth_gss_validate?
Tomas Kuthan
tomas.kuthan at oracle.com
Thu Sep 22 04:45:10 EDT 2016
Hi,
src/lib/rpc/svc_auth_gss.c:
293 static bool_t
294 svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data
*gd, struct rpc_msg *msg)
295 {
296 struct opaque_auth *oa;
297 gss_buffer_desc rpcbuf, checksum;
298 OM_uint32 maj_stat, min_stat, qop_state;
299 u_char rpchdr[128];
...
307 oa = &msg->rm_call.cb_cred;
308 if (oa->oa_length > MAX_AUTH_BYTES)
309 return (FALSE);
310
311 /* 8 XDR units from the IXDR macro calls. */
312 if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
313 RNDUP(oa->oa_length)))
314 return (FALSE);
...
As a part of MIC verification, opaque_auth data is copied into local
variable rpcbuf. According to a comment in src/include/gssrpc/auth.h,
opaque_auth size can be up to MAX_AUTH_BYTES=400, but the local buffer
only has 128 B.
This feels unnecessarily limiting. At least since CVE-2007-3999 there is
no buffer overflow (lines 311-314), but still, it seems some valid
messages might get rejected just because their size exceeds 128.
Is there a reason for having the local buffer be 128 B only?
Thanks,
Tomas
More information about the krbdev
mailing list