negotiate_wrapper_auth: protect from responses over 64KB (#1530)

... received from NTLM and Kerberos helpers.

This code uses MAX_AUTHTOKEN_LEN (~64KB) buffers to read response lines.
fgets(3) guarantees to terminate the supplied buffer, but it does not
return nil when the input line is larger than the buffer. We have
already detected such "Oversized message" cases for fgets(stdin) calls,
but not for fgets(FDNOUT) and fgets(FDKOUT) calls.

diff --git a/src/auth/negotiate/wrapper/negotiate_wrapper.cc b/src/auth/negotiate/wrapper/negotiate_wrapper.cc
index 5d70b171d8422c19c671e620db33fab4e9c3579f..b53391c370175e0e9fcae05dfa9ac34d4e286e36 100644 (file)
--- a/src/auth/negotiate/wrapper/negotiate_wrapper.cc
+++ b/src/auth/negotiate/wrapper/negotiate_wrapper.cc
@@ -224,6 +224,13 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT)
                         LogTime(), PROGRAM);
                 return 0;
             }
+
+            if (!memchr(tbuff, '\n', sizeof(tbuff) - 1)) {
+                fprintf(stderr, "%s| %s: Oversized NTLM helper response\n",
+                        LogTime(), PROGRAM);
+                return 0;
+            }
+
             /*
              * Need to translate NTLM reply to Negotiate reply:
              *  AF user => AF blob user
@@ -256,6 +263,12 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT)
                         LogTime(), PROGRAM);
                 return 0;
             }
+
+            if (!memchr(buff, '\n', sizeof(buff) - 1)) {
+                fprintf(stderr, "%s| %s: Oversized Kerberos helper response\n",
+                        LogTime(), PROGRAM);
+                return 0;
+            }
         }
         buff[sizeof(buff)-1] = '\0'; // paranoid; already terminated correctly
         fprintf(stdout,"%s",buff);