Mercurial > dovecot > original-hg > dovecot-1.2

comparison src/auth/mech-gssapi.c @ 9324:5d53b1d66d1b HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: Check for potentially dangerous NULs in usernames.
author Timo Sirainen <tss@iki.fi>
date Fri, 14 Aug 2009 02:54:41 -0400
parents 0ec0b1f1ac6a
children a37fa30b0072
comparison
equal deleted inserted replaced
9323:93e2b0519e65 9324:5d53b1d66d1b
211 return GSS_C_NO_NAME; 211 return GSS_C_NO_NAME;
212 } 212 }
213 return name; 213 return name;
214 } 214 }
215 215
216 static bool data_has_nuls(const void *data, unsigned int len)
217 {
218 const unsigned char *c = data;
219 unsigned int i;
220
221 for (i = 0; i < len; i++) {
222 if (c[i] == '\0')
223 return TRUE;
224 }
225 return FALSE;
226 }
227
216 static int get_display_name(struct auth_request *auth_request, gss_name_t name, 228 static int get_display_name(struct auth_request *auth_request, gss_name_t name,
217 gss_OID *name_type_r, const char **display_name_r) 229 gss_OID *name_type_r, const char **display_name_r)
218 { 230 {
219 OM_uint32 major_status, minor_status; 231 OM_uint32 major_status, minor_status;
220 gss_buffer_desc buf; 232 gss_buffer_desc buf;
222 major_status = gss_display_name(&minor_status, name, 234 major_status = gss_display_name(&minor_status, name,
223 &buf, name_type_r); 235 &buf, name_type_r);
224 if (major_status != GSS_S_COMPLETE) { 236 if (major_status != GSS_S_COMPLETE) {
225 mech_gssapi_log_error(auth_request, major_status, 237 mech_gssapi_log_error(auth_request, major_status,
226 GSS_C_GSS_CODE, "gss_display_name"); 238 GSS_C_GSS_CODE, "gss_display_name");
239 return -1;
240 }
241 if (data_has_nuls(buf.value, buf.length)) {
242 auth_request_log_info(auth_request, "gssapi",
243 "authn_name has NULs");
227 return -1; 244 return -1;
228 } 245 }
229 *display_name_r = t_strndup(buf.value, buf.length); 246 *display_name_r = t_strndup(buf.value, buf.length);
230 (void)gss_release_buffer(&minor_status, &buf); 247 (void)gss_release_buffer(&minor_status, &buf);
231 return 0; 248 return 0;
495 return -1; 512 return -1;
496 } 513 }
497 name = (unsigned char *)outbuf.value + 4; 514 name = (unsigned char *)outbuf.value + 4;
498 name_len = outbuf.length - 4; 515 name_len = outbuf.length - 4;
499 516
517 if (data_has_nuls(name, name_len)) {
518 auth_request_log_info(auth_request, "gssapi",
519 "authz_name has NULs");
520 return -1;
521 }
522
500 login_user = p_strndup(auth_request->pool, name, name_len); 523 login_user = p_strndup(auth_request->pool, name, name_len);
501 request->authz_name = import_name(auth_request, name, name_len); 524 request->authz_name = import_name(auth_request, name, name_len);
502 if (request->authz_name == GSS_C_NO_NAME) { 525 if (request->authz_name == GSS_C_NO_NAME) {
503 auth_request_log_info(auth_request, "gssapi", "no authz_name"); 526 auth_request_log_info(auth_request, "gssapi", "no authz_name");
504 return -1; 527 return -1;