Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid truncation when encoding Kerberos token #5435

Closed
wants to merge 1 commit into from
Closed

Avoid truncation when encoding Kerberos token #5435

wants to merge 1 commit into from

Conversation

hansmi
Copy link
Contributor

@hansmi hansmi commented Nov 12, 2018

The "httpEncode64_2" function appends padding (0-3x "="). The buffer
size calculation in "_cupsSetNegotiateAuthString" did the calculation
wrongly and would have a buffer overflow for tokens of size (N * 4)
+ 1 and (N * 4) + 2. With this change the buffer size is computed
correctly.

See commit message for detailed calculation.

The "httpEncode64_2" function appends padding (0-3x "="). The buffer
size calculation in "_cupsSetNegotiateAuthString" did the calculation
wrongly and would have a buffer overflow for tokens of size (N * 4)
+ 1 and (N * 4) + 2. With this change the buffer size is computed
correctly.

Proof-of-concept in Python:

$ python <<'EOF'
import base64

def calc(c):
  raw = c * "A"
  enclen = len(base64.b64encode(raw))
  origlen = len(raw) * 4 / 3 + 1
  fixedlen = ((4 * len(raw) / 3) + 3) & ~3
  print
  print "input len =  ", c
  print "encoded len =", enclen
  print "orig len =   ", origlen, ("(bad)" if enclen > origlen else "")
  print "fixed len =  ", fixedlen, ("(bad)" if enclen > fixedlen else "")
  print "waste =      ", fixedlen - enclen

for i in range(7): calc(i)
EOF

Output:

---
input len =   0
encoded len = 0
orig len =    1
fixed len =   0
waste =       0

input len =   1
encoded len = 4
orig len =    2 (bad)
fixed len =   4
waste =       0

input len =   2
encoded len = 4
orig len =    3 (bad)
fixed len =   4
waste =       0

input len =   3
encoded len = 4
orig len =    5
fixed len =   4
waste =       0

input len =   4
encoded len = 8
orig len =    6 (bad)
fixed len =   8
waste =       0

input len =   5
encoded len = 8
orig len =    7 (bad)
fixed len =   8
waste =       0

input len =   6
encoded len = 8
orig len =    9
fixed len =   8
waste =       0
---
@michaelrsweet
Copy link
Collaborator

Changing the title to reflect the issue - httpEncode64_2 won't overflow, it will truncate.

@michaelrsweet michaelrsweet added this to the CUPS 2.2.x Updates milestone Nov 13, 2018
@michaelrsweet michaelrsweet self-assigned this Nov 13, 2018
@michaelrsweet michaelrsweet changed the title Avoid buffer overflow when encoding Kerberos token Avoid truncation when encoding Kerberos token Nov 13, 2018
@michaelrsweet
Copy link
Collaborator

[master ef2f369] Fix potential truncation of Kerberos credentials (Issue #5435)

[branch-2.2 fe35d60] Fix potential truncation of Kerberos credentials (Issue #5435)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants