[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL 1.5.x maxbuf size handling (ITS#2484)

Full_Name: Simon Wilkinson
Version: 2.1.17
Submission from: (NULL) (

The GSSAPI plugin that ships with SASL 1.5 doesn't handle buffer size exchange
properly. This results in the server receiving a buffer size of 0. 

The OpenLDAP server fails to handle this correctly due to the following lines
        if ( len > *p->sasl_maxbuf - 100 )
                len = *p->sasl_maxbuf - 100;    /* For safety margin */

len and sasl_maxbuf are both unsigned, if sasl_maxbuf<100, then this overflows.

This behaviour is harmless until a PDU larger than 65536 is returned by the
server, causing the client to complain that the result is larger than the
hardcoded maximum
buffer size.

[ Aside: With SASL v2, would forcing the negotiation of a maxbuf of 0 result in
a denial of service attack, as the server would constantly transmit empty
packets? ]

Locally, we've fixed the SASL bug, but I thought that the more general problem
in the server code was worth raising.