From 3238ca57c7896f7ab1c58ee078ca7ba91fdaf69f Mon Sep 17 00:00:00 2001
From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Fri, 20 Oct 2023 22:24:45 +0000
Subject: [PATCH] negotiate_wrapper_auth: protect from responses over 64KB
 (#1530)

... received from NTLM and Kerberos helpers.

This code uses MAX_AUTHTOKEN_LEN (~64KB) buffers to read response lines.
fgets(3) guarantees to terminate the supplied buffer, but it does not
return nil when the input line is larger than the buffer. We have
already detected such "Oversized message" cases for fgets(stdin) calls,
but not for fgets(FDNOUT) and fgets(FDKOUT) calls.
---
 src/auth/negotiate/wrapper/negotiate_wrapper.cc | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/auth/negotiate/wrapper/negotiate_wrapper.cc b/src/auth/negotiate/wrapper/negotiate_wrapper.cc
index 5d70b171d8..b53391c370 100644
--- a/src/auth/negotiate/wrapper/negotiate_wrapper.cc
+++ b/src/auth/negotiate/wrapper/negotiate_wrapper.cc
@@ -224,6 +224,13 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT)
                         LogTime(), PROGRAM);
                 return 0;
             }
+
+            if (!memchr(tbuff, '\n', sizeof(tbuff) - 1)) {
+                fprintf(stderr, "%s| %s: Oversized NTLM helper response\n",
+                        LogTime(), PROGRAM);
+                return 0;
+            }
+
             /*
              * Need to translate NTLM reply to Negotiate reply:
              *  AF user => AF blob user
@@ -256,6 +263,12 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT)
                         LogTime(), PROGRAM);
                 return 0;
             }
+
+            if (!memchr(buff, '\n', sizeof(buff) - 1)) {
+                fprintf(stderr, "%s| %s: Oversized Kerberos helper response\n",
+                        LogTime(), PROGRAM);
+                return 0;
+            }
         }
         buff[sizeof(buff)-1] = '\0'; // paranoid; already terminated correctly
         fprintf(stdout,"%s",buff);
-- 
2.47.2