-
Type: Bug
-
Resolution: Fixed
-
Priority: Critical - P2
-
Affects Version/s: None
-
Component/s: None
-
None
-
(copied to CRM)
CDRIVER-3486 modified _mongoc_cluster_auth_node_sspi to remove the 4096 byte limit on SASL payloads received from the server. buf was changed from a fixed 4096 buffer to a dynamically allocated one. However, the base64 string was copied without the NULL terminator. And buf is subsequently base64 decoded in _mongoc_sspi_base64_decode. This uses CryptStringToBinaryA to decode:
if (CryptStringToBinaryA ( value, 0, CRYPT_STRING_BASE64, NULL, rlen, NULL, NULL)) {
The second argument is the input length, which is explicitly 0, and the expectation being that value (aka buf) is NULL terminated.
As a note, I believe this may have been buggy prior to the changes of CDRIVER-3486 as well. Though buf was initially a zero-initialized buffer of 4096 bytes, it was not zero-initialized every iteration.
- is related to
-
CDRIVER-3486 libsasl buffer overflow with oversized kerberos msgs
- Closed