From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 28 Jul 2020 16:51:06 +0000 (-0400)
Subject: Do proper length decoding in SPNEGO gss_get_oid()
X-Git-Tag: krb5-1.19-beta1~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f712fa5a94438096d3c2449babe4aca9c17d7feb;p=thirdparty%2Fkrb5.git

Do proper length decoding in SPNEGO gss_get_oid()

When reading an OID in a SPNEGO token, use gssint_get_der_length()
rather than assuming the length fits in one byte.  Although OID
lengths greater than 127 are unlikely, some NetApp products have been
observed to incorrectly encode the length in multiple bytes.  Reported
by Richard Sharpe.

ticket: 8932 (new)
---

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 68e389748f..450145d541 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3338,20 +3338,19 @@ get_mech_oid(OM_uint32 *minor_status, unsigned char **buff_in, size_t length)
 	OM_uint32	status;
 	gss_OID_desc 	toid;
 	gss_OID		mech_out = NULL;
-	unsigned char		*start, *end;
+	unsigned int	bytes;
+	int		oid_length;
 
 	if (length < 1 || **buff_in != MECH_OID)
 		return (NULL);
-
-	start = *buff_in;
-	end = start + length;
-
 	(*buff_in)++;
-	toid.length = *(*buff_in)++;
+	length--;
 
-	if ((*buff_in + toid.length) > end)
+	oid_length = gssint_get_der_length(buff_in, length, &bytes);
+	if (oid_length < 0 || length - bytes < (size_t)oid_length)
 		return (NULL);
 
+	toid.length = oid_length;
 	toid.elements = *buff_in;
 	*buff_in += toid.length;