[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL_MAX_BUFF_SIZE in /libraries/libldap/cyrus.c

At 07:48 PM 1/18/01 +0100, Norbert Klasen wrote:
>Is the size of this buffer mandated by some standard or arbitrarily
>chosen for this implementation?

RFC 2222, Section 3 says (in part):
   If the use of a security layer is agreed upon, then the mechanism
   must also define or negotiate the maximum cipher-text buffer size
   that each side is able to receive.

   The length of the cipher-text buffer must be no larger than the
   maximum size that was defined or negotiated by the other side.

Section 7 (GSSAPI) indicates that the length is negotiated.

OpenLDAP, by default, sets the maxbufsize.  If we get buffers
returned larger than this, that's an error.  I note that our
code should have some additional sanity checks.  I committed
a couple.

>I ask because I get errors on large result sets from Active Directory
>when GSSAPI privacy protection is in place:
>sb_sasl_pkt_length: received illegal packet length of 66112 bytes
>sb_sasl_read: failed to decode packet: generic failure

Well, I'd be interested to see if Cyrus SASL sent AD the maxbufsize
requested by OpenLDAP.  If it did, then I would think AD is
in error.