Do proper length decoding in SPNEGO gss_get_oid()

When reading an OID in a SPNEGO token, use gssint_get_der_length()
rather than assuming the length fits in one byte.  Although OID
lengths greater than 127 are unlikely, some NetApp products have been
observed to incorrectly encode the length in multiple bytes.  Reported
by Richard Sharpe.

ticket: 8932 (new)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 68e389748f7bfc84212fc78f350611204d2d3517..450145d541d1b776ba4d7104c69e223a0e484513 100644 (file)
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3338,20 +3338,19 @@ get_mech_oid(OM_uint32 *minor_status, unsigned char **buff_in, size_t length)
        OM_uint32       status;
        gss_OID_desc    toid;
        gss_OID         mech_out = NULL;
-       unsigned char           *start, *end;
+       unsigned int    bytes;
+       int             oid_length;
 
        if (length < 1 || **buff_in != MECH_OID)
                return (NULL);
-
-       start = *buff_in;
-       end = start + length;
-
        (*buff_in)++;
-       toid.length = *(*buff_in)++;
+       length--;
 
-       if ((*buff_in + toid.length) > end)
+       oid_length = gssint_get_der_length(buff_in, length, &bytes);
+       if (oid_length < 0 || length - bytes < (size_t)oid_length)
                return (NULL);
 
+       toid.length = oid_length;
        toid.elements = *buff_in;
        *buff_in += toid.length;