Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3725

Uninitialized read in SSPI

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 1.17.0-rc0, 1.17.0
    • Affects Version/s: None
    • Component/s: None
    • None

      CDRIVER-3486 modified _mongoc_cluster_auth_node_sspi to remove the 4096 byte limit on SASL payloads received from the server. buf was changed from a fixed 4096 buffer to a dynamically allocated one. However, the base64 string was copied without the NULL terminator. And buf is subsequently base64 decoded in _mongoc_sspi_base64_decode. This uses CryptStringToBinaryA to decode:

      if (CryptStringToBinaryA (
                value, 0, CRYPT_STRING_BASE64, NULL, rlen, NULL, NULL)) {
      

      The second argument is the input length, which is explicitly 0, and the expectation being that value (aka buf) is NULL terminated.

      As a note, I believe this may have been buggy prior to the changes of CDRIVER-3486 as well. Though buf was initially a zero-initialized buffer of 4096 bytes, it was not zero-initialized every iteration.

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: