Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3725

Uninitialized read in SSPI

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical - P2
    • Resolution: Fixed
    • None
    • 1.17.0-rc0, 1.17.0
    • None
    • None

    Description

      CDRIVER-3486 modified _mongoc_cluster_auth_node_sspi to remove the 4096 byte limit on SASL payloads received from the server. buf was changed from a fixed 4096 buffer to a dynamically allocated one. However, the base64 string was copied without the NULL terminator. And buf is subsequently base64 decoded in _mongoc_sspi_base64_decode. This uses CryptStringToBinaryA to decode:

      if (CryptStringToBinaryA (
                value, 0, CRYPT_STRING_BASE64, NULL, rlen, NULL, NULL)) {
      

      The second argument is the input length, which is explicitly 0, and the expectation being that value (aka buf) is NULL terminated.

      As a note, I believe this may have been buggy prior to the changes of CDRIVER-3486 as well. Though buf was initially a zero-initialized buffer of 4096 bytes, it was not zero-initialized every iteration.

      Attachments

        Issue Links

          Activity

            People

              kevin.albertson@mongodb.com Kevin Albertson
              kevin.albertson@mongodb.com Kevin Albertson
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: