Mercurial > dovecot > original-hg > dovecot-1.2
comparison src/auth/mech-gssapi.c @ 9324:5d53b1d66d1b HEAD
auth: Check for potentially dangerous NULs in usernames.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Fri, 14 Aug 2009 02:54:41 -0400 |
parents | 0ec0b1f1ac6a |
children | a37fa30b0072 |
comparison
equal
deleted
inserted
replaced
9323:93e2b0519e65 | 9324:5d53b1d66d1b |
---|---|
211 return GSS_C_NO_NAME; | 211 return GSS_C_NO_NAME; |
212 } | 212 } |
213 return name; | 213 return name; |
214 } | 214 } |
215 | 215 |
216 static bool data_has_nuls(const void *data, unsigned int len) | |
217 { | |
218 const unsigned char *c = data; | |
219 unsigned int i; | |
220 | |
221 for (i = 0; i < len; i++) { | |
222 if (c[i] == '\0') | |
223 return TRUE; | |
224 } | |
225 return FALSE; | |
226 } | |
227 | |
216 static int get_display_name(struct auth_request *auth_request, gss_name_t name, | 228 static int get_display_name(struct auth_request *auth_request, gss_name_t name, |
217 gss_OID *name_type_r, const char **display_name_r) | 229 gss_OID *name_type_r, const char **display_name_r) |
218 { | 230 { |
219 OM_uint32 major_status, minor_status; | 231 OM_uint32 major_status, minor_status; |
220 gss_buffer_desc buf; | 232 gss_buffer_desc buf; |
222 major_status = gss_display_name(&minor_status, name, | 234 major_status = gss_display_name(&minor_status, name, |
223 &buf, name_type_r); | 235 &buf, name_type_r); |
224 if (major_status != GSS_S_COMPLETE) { | 236 if (major_status != GSS_S_COMPLETE) { |
225 mech_gssapi_log_error(auth_request, major_status, | 237 mech_gssapi_log_error(auth_request, major_status, |
226 GSS_C_GSS_CODE, "gss_display_name"); | 238 GSS_C_GSS_CODE, "gss_display_name"); |
239 return -1; | |
240 } | |
241 if (data_has_nuls(buf.value, buf.length)) { | |
242 auth_request_log_info(auth_request, "gssapi", | |
243 "authn_name has NULs"); | |
227 return -1; | 244 return -1; |
228 } | 245 } |
229 *display_name_r = t_strndup(buf.value, buf.length); | 246 *display_name_r = t_strndup(buf.value, buf.length); |
230 (void)gss_release_buffer(&minor_status, &buf); | 247 (void)gss_release_buffer(&minor_status, &buf); |
231 return 0; | 248 return 0; |
495 return -1; | 512 return -1; |
496 } | 513 } |
497 name = (unsigned char *)outbuf.value + 4; | 514 name = (unsigned char *)outbuf.value + 4; |
498 name_len = outbuf.length - 4; | 515 name_len = outbuf.length - 4; |
499 | 516 |
517 if (data_has_nuls(name, name_len)) { | |
518 auth_request_log_info(auth_request, "gssapi", | |
519 "authz_name has NULs"); | |
520 return -1; | |
521 } | |
522 | |
500 login_user = p_strndup(auth_request->pool, name, name_len); | 523 login_user = p_strndup(auth_request->pool, name, name_len); |
501 request->authz_name = import_name(auth_request, name, name_len); | 524 request->authz_name = import_name(auth_request, name, name_len); |
502 if (request->authz_name == GSS_C_NO_NAME) { | 525 if (request->authz_name == GSS_C_NO_NAME) { |
503 auth_request_log_info(auth_request, "gssapi", "no authz_name"); | 526 auth_request_log_info(auth_request, "gssapi", "no authz_name"); |
504 return -1; | 527 return -1; |