Commits on Nov 12, 2018

1. Avoid buffer overflow when encoding Kerberos token …

   The "httpEncode64_2" function appends padding (0-3x "="). The buffer
   size calculation in "_cupsSetNegotiateAuthString" did the calculation
   wrongly and would have a buffer overflow for tokens of size (N * 4)
   + 1 and (N * 4) + 2. With this change the buffer size is computed
   correctly.
   
   Proof-of-concept in Python:
   
   $ python <<'EOF'
   import base64
   
   def calc(c):
     raw = c * "A"
     enclen = len(base64.b64encode(raw))
     origlen = len(raw) * 4 / 3 + 1
     fixedlen = ((4 * len(raw) / 3) + 3) & ~3
     print
     print "input len =  ", c
     print "encoded len =", enclen
     print "orig len =   ", origlen, ("(bad)" if enclen > origlen else "")
     print "fixed len =  ", fixedlen, ("(bad)" if enclen > fixedlen else "")
     print "waste =      ", fixedlen - enclen
   
   for i in range(7): calc(i)
   EOF
   
   Output:
   
   ---
   input len =   0
   encoded len = 0
   orig len =    1
   fixed len =   0
   waste =       0
   
   input len =   1
   encoded len = 4
   orig len =    2 (bad)
   fixed len =   4
   waste =       0
   
   input len =   2
   encoded len = 4
   orig len =    3 (bad)
   fixed len =   4
   waste =       0
   
   input len =   3
   encoded len = 4
   orig len =    5
   fixed len =   4
   waste =       0
   
   input len =   4
   encoded len = 8
   orig len =    6 (bad)
   fixed len =   8
   waste =       0
   
   input len =   5
   encoded len = 8
   orig len =    7 (bad)
   fixed len =   8
   waste =       0
   
   input len =   6
   encoded len = 8
   orig len =    9
   fixed len =   8
   waste =       0
   ---

   

   hansmi committed Nov 12, 2018
   Configuration menu

   • View commit details
   • Copy full SHA for 7de8226
   • Browse repository at this point

   Copy the full SHA

   7de8226 View commit details

   Browse the repository at this point in the history