]> git.ipfire.org Git - thirdparty/squid.git/commitdiff
projects / thirdparty / squid.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: db9cd17)
negotiate_kerberos_auth: Properly align NDR data (#2186)
authorJoshua Rogers <MegaManSec@users.noreply.github.com>
Mon, 8 Sep 2025 22:18:21 +0000 (22:18 +0000)
committerSquid Anubis <squid-anubis@squid-cache.org>
Mon, 8 Sep 2025 22:18:30 +0000 (22:18 +0000)
Resolves sporadic Negotiate/Kerberos auth failures that manifested
as proxy 407 loops or helper errors when decoding PAC data, depending
on ticket layout.

Previously, the parser advanced bpos by the remainder:
(bpos += bpos %n)
instead of padding to the next multiple of n.

For example, n = 4:
    bpos=5 (r=1): current: 6 (wrong), correct: 8
    bpos=6 (r=2): current: 8 (accidentally right)
    bpos=7 (r=3): current: 10 (wrong), correct: 8

src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc patch | blob | blame | history

diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
index 1d6c0a01998b864457b598cb431e1596096ce11a..0403fcfd7d978e5e47f68d0c81971dc9a9a7b7d7 100644 (file)
--- a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
+++ b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
@@ -55,11 +55,8 @@ check_k5_err(krb5_context context, const char *function, krb5_error_code code);
 void
 align(int n)
 {
-    if ( bpos % n != 0 ) {
-        int al;
-        al = (bpos/n);
-        bpos = bpos+(bpos-n*al);
-    }
+    if (const auto r = bpos % n)
+        bpos += (n - r);
 }
 
 void
Mirror of https://github.com/squid-cache/squid.git