Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3486

libsasl buffer overflow with oversized kerberos msgs

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.17.0-beta, 1.17.0
    • Affects Version/s: 1.13.0
    • Component/s: auth, network
    • None
    • Environment:
      Linux client authenticating to Active Directory with GSSAPI (kerberos) authmech

      Symptoms:

      Driver exception message "SASL Failure: (-3): overflowed buffer: generic server error" manifest when the kerberos ticket size exceeds the driver's predefined SASL 4K buffer.

      This is confirmed also via a stack trace of the driver:

      I0109 12:28:52.877523 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_start():317 Created new sasl client successfully
      I0109 12:28:52.877530 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: 0 ok is 0, continue=1 interact=2
      I0109 12:28:52.880652 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_start():329 Started the sasl client successfully
      I0109 12:28:52.880681 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: 1 ok is 0, continue=1 interact=2
      I0109 12:28:52.880690 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: -3 ok is 0, continue=1 interact=2
      

      Preliminary tests of increasing the buffer size appear to resolve the issue, though it is not clear if doing this has any knock on effects. Also to note when calculating the buffer size, the SASL payload is base64 encoded (thereby contributing to buffer bloat), and the Windows MaxTokenSize is 48K, should you wish to consider interoperability with Active Directory.

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            luke.prochazka@mongodb.com Luke Prochazka
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: