Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3486

libsasl buffer overflow with oversized kerberos msgs

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 1.13.0
    • 1.17.0-beta, 1.17.0
    • auth, network
    • None
    • Linux client authenticating to Active Directory with GSSAPI (kerberos) authmech

    Description

      Symptoms:

      Driver exception message "SASL Failure: (-3): overflowed buffer: generic server error" manifest when the kerberos ticket size exceeds the driver's predefined SASL 4K buffer.

      This is confirmed also via a stack trace of the driver:

      I0109 12:28:52.877523 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_start():317 Created new sasl client successfully
      I0109 12:28:52.877530 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: 0 ok is 0, continue=1 interact=2
      I0109 12:28:52.880652 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_start():329 Started the sasl client successfully
      I0109 12:28:52.880681 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: 1 ok is 0, continue=1 interact=2
      I0109 12:28:52.880690 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: -3 ok is 0, continue=1 interact=2
      

      Preliminary tests of increasing the buffer size appear to resolve the issue, though it is not clear if doing this has any knock on effects. Also to note when calculating the buffer size, the SASL payload is base64 encoded (thereby contributing to buffer bloat), and the Windows MaxTokenSize is 48K, should you wish to consider interoperability with Active Directory.

      Attachments

        Issue Links

          Activity

            People

              kevin.albertson@mongodb.com Kevin Albertson
              luke.prochazka@mongodb.com Luke Prochazka
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: