Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid truncation when encoding Kerberos token #5435

Closed
wants to merge 1 commit into from
Closed

Avoid truncation when encoding Kerberos token #5435

wants to merge 1 commit into from

Conversation

hansmi
Copy link
Contributor

@hansmi hansmi commented Nov 12, 2018
edited

The "httpEncode64_2" function appends padding (0-3x "="). The buffer
size calculation in "_cupsSetNegotiateAuthString" did the calculation
wrongly and would have a buffer overflow for tokens of size (N * 4)
+ 1 and (N * 4) + 2. With this change the buffer size is computed
correctly.

See commit message for detailed calculation.

@hansmi
Avoid buffer overflow when encoding Kerberos token
7de8226 
The "httpEncode64_2" function appends padding (0-3x "="). The buffer
size calculation in "_cupsSetNegotiateAuthString" did the calculation
wrongly and would have a buffer overflow for tokens of size (N * 4)
+ 1 and (N * 4) + 2. With this change the buffer size is computed
correctly.

Proof-of-concept in Python:

$ python <<'EOF'
import base64

def calc(c):
  raw = c * "A"
  enclen = len(base64.b64encode(raw))
  origlen = len(raw) * 4 / 3 + 1
  fixedlen = ((4 * len(raw) / 3) + 3) & ~3
  print
  print "input len =  ", c
  print "encoded len =", enclen
  print "orig len =   ", origlen, ("(bad)" if enclen > origlen else "")
  print "fixed len =  ", fixedlen, ("(bad)" if enclen > fixedlen else "")
  print "waste =      ", fixedlen - enclen

for i in range(7): calc(i)
EOF

Output:

---
input len =   0
encoded len = 0
orig len =    1
fixed len =   0
waste =       0

input len =   1
encoded len = 4
orig len =    2 (bad)
fixed len =   4
waste =       0

input len =   2
encoded len = 4
orig len =    3 (bad)
fixed len =   4
waste =       0

input len =   3
encoded len = 4
orig len =    5
fixed len =   4
waste =       0

input len =   4
encoded len = 8
orig len =    6 (bad)
fixed len =   8
waste =       0

input len =   5
encoded len = 8
orig len =    7 (bad)
fixed len =   8
waste =       0

input len =   6
encoded len = 8
orig len =    9
fixed len =   8
waste =       0
---
@michaelrsweet
Copy link
Collaborator

Changing the title to reflect the issue - httpEncode64_2 won't overflow, it will truncate.

@michaelrsweet michaelrsweet added this to the CUPS 2.2.x Updates milestone Nov 13, 2018
@michaelrsweet michaelrsweet self-assigned this Nov 13, 2018
@michaelrsweet michaelrsweet changed the title Avoid buffer overflow when encoding Kerberos token Avoid truncation when encoding Kerberos token Nov 13, 2018
michaelrsweet added a commit that referenced this pull request Nov 14, 2018
@michaelrsweet
Fix potential truncation of Kerberos credentials (Issue #5435)
fe35d60
michaelrsweet added a commit that referenced this pull request Nov 14, 2018
@michaelrsweet
Fix potential truncation of Kerberos credentials (Issue #5435)
ef2f369
@michaelrsweet
Copy link
Collaborator

[master ef2f369] Fix potential truncation of Kerberos credentials (Issue #5435)

[branch-2.2 fe35d60] Fix potential truncation of Kerberos credentials (Issue #5435)

michaelrsweet added a commit that referenced this pull request Nov 14, 2018
@michaelrsweet
Fix Kerberos truncation (Issue #5435)
6d99354
@michaelrsweet michaelrsweet mentioned this pull request Feb 28, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@michaelrsweet michaelrsweet

Labels
priority-medium
Projects
None yet
Milestone
CUPS 2.2.x Updates
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hansmi @michaelrsweet