[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL 1.5.x maxbuf size handling (ITS#2484)

To: openldap-its@OpenLDAP.org
Subject: SASL 1.5.x maxbuf size handling (ITS#2484)
From: simon@sxw.org.uk
Date: Mon, 5 May 2003 12:10:31 GMT

Full_Name: Simon Wilkinson
Version: 2.1.17
OS: 
URL: 
Submission from: (NULL) (212.20.248.63)


The GSSAPI plugin that ships with SASL 1.5 doesn't handle buffer size exchange
properly. This results in the server receiving a buffer size of 0. 

The OpenLDAP server fails to handle this correctly due to the following lines
in
cyrus.c:
        if ( len > *p->sasl_maxbuf - 100 )
                len = *p->sasl_maxbuf - 100;    /* For safety margin */

len and sasl_maxbuf are both unsigned, if sasl_maxbuf<100, then this overflows.

This behaviour is harmless until a PDU larger than 65536 is returned by the
server, causing the client to complain that the result is larger than the
hardcoded maximum
buffer size.

[ Aside: With SASL v2, would forcing the negotiation of a maxbuf of 0 result in
a denial of service attack, as the server would constantly transmit empty
packets? ]

Locally, we've fixed the SASL bug, but I thought that the more general problem
in the server code was worth raising.

Prev by Date: Re: Berkeley DB error.
Next by Date: AC_GAI_STRERROR unresolved on Tru64 5.1 (ITS#2485)
Index(es):
- Chronological
- Thread