Skip to content
This repository was archived by the owner on Mar 10, 2026. It is now read-only.

Avoid truncation when encoding Kerberos token#5435

Closed
hansmi wants to merge 1 commit into
apple:masterfrom
hansmi:authbufsize1
Closed

Avoid truncation when encoding Kerberos token#5435
hansmi wants to merge 1 commit into
apple:masterfrom
hansmi:authbufsize1

Conversation

@hansmi

@hansmi hansmi commented Nov 12, 2018

Copy link
Copy Markdown
Contributor

The "httpEncode64_2" function appends padding (0-3x "="). The buffer
size calculation in "_cupsSetNegotiateAuthString" did the calculation
wrongly and would have a buffer overflow for tokens of size (N * 4)
+ 1 and (N * 4) + 2. With this change the buffer size is computed
correctly.

See commit message for detailed calculation.

The "httpEncode64_2" function appends padding (0-3x "="). The buffer
size calculation in "_cupsSetNegotiateAuthString" did the calculation
wrongly and would have a buffer overflow for tokens of size (N * 4)
+ 1 and (N * 4) + 2. With this change the buffer size is computed
correctly.

Proof-of-concept in Python:

$ python <<'EOF'
import base64

def calc(c):
  raw = c * "A"
  enclen = len(base64.b64encode(raw))
  origlen = len(raw) * 4 / 3 + 1
  fixedlen = ((4 * len(raw) / 3) + 3) & ~3
  print
  print "input len =  ", c
  print "encoded len =", enclen
  print "orig len =   ", origlen, ("(bad)" if enclen > origlen else "")
  print "fixed len =  ", fixedlen, ("(bad)" if enclen > fixedlen else "")
  print "waste =      ", fixedlen - enclen

for i in range(7): calc(i)
EOF

Output:

---
input len =   0
encoded len = 0
orig len =    1
fixed len =   0
waste =       0

input len =   1
encoded len = 4
orig len =    2 (bad)
fixed len =   4
waste =       0

input len =   2
encoded len = 4
orig len =    3 (bad)
fixed len =   4
waste =       0

input len =   3
encoded len = 4
orig len =    5
fixed len =   4
waste =       0

input len =   4
encoded len = 8
orig len =    6 (bad)
fixed len =   8
waste =       0

input len =   5
encoded len = 8
orig len =    7 (bad)
fixed len =   8
waste =       0

input len =   6
encoded len = 8
orig len =    9
fixed len =   8
waste =       0
---
@michaelrsweet

Copy link
Copy Markdown
Contributor

Changing the title to reflect the issue - httpEncode64_2 won't overflow, it will truncate.

@michaelrsweet michaelrsweet added this to the CUPS 2.2.x Updates milestone Nov 13, 2018
@michaelrsweet michaelrsweet self-assigned this Nov 13, 2018
@michaelrsweet michaelrsweet changed the title Avoid buffer overflow when encoding Kerberos token Avoid truncation when encoding Kerberos token Nov 13, 2018
@michaelrsweet

Copy link
Copy Markdown
Contributor

[master ef2f369] Fix potential truncation of Kerberos credentials (Issue #5435)

[branch-2.2 fe35d60] Fix potential truncation of Kerberos credentials (Issue #5435)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants