[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL 1.5.x maxbuf size handling (ITS#2484)
Full_Name: Simon Wilkinson
Version: 2.1.17
OS:
URL:
Submission from: (NULL) (212.20.248.63)
The GSSAPI plugin that ships with SASL 1.5 doesn't handle buffer size exchange
properly. This results in the server receiving a buffer size of 0.
The OpenLDAP server fails to handle this correctly due to the following lines
in
cyrus.c:
if ( len > *p->sasl_maxbuf - 100 )
len = *p->sasl_maxbuf - 100; /* For safety margin */
len and sasl_maxbuf are both unsigned, if sasl_maxbuf<100, then this overflows.
This behaviour is harmless until a PDU larger than 65536 is returned by the
server, causing the client to complain that the result is larger than the
hardcoded maximum
buffer size.
[ Aside: With SASL v2, would forcing the negotiation of a maxbuf of 0 result in
a denial of service attack, as the server would constantly transmit empty
packets? ]
Locally, we've fixed the SASL bug, but I thought that the more general problem
in the server code was worth raising.