[CDRIVER-3486] libsasl buffer overflow with oversized kerberos msgs Created: 15/Jan/20  Updated: 28/Oct/23  Resolved: 12/Feb/20

Status: Closed
Project: C Driver
Component/s: auth, network
Affects Version/s: 1.13.0
Fix Version/s: 1.17.0-beta, 1.17.0

Type: Bug Priority: Major - P3
Reporter: Luke Prochazka Assignee: Kevin Albertson
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Linux client authenticating to Active Directory with GSSAPI (kerberos) authmech


Issue Links:
Related
related to CDRIVER-3725 Uninitialized read in SSPI Closed
Case:

 Description   

Symptoms:

Driver exception message "SASL Failure: (-3): overflowed buffer: generic server error" manifest when the kerberos ticket size exceeds the driver's predefined SASL 4K buffer.

This is confirmed also via a stack trace of the driver:

I0109 12:28:52.877523 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_start():317 Created new sasl client successfully
I0109 12:28:52.877530 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: 0 ok is 0, continue=1 interact=2
I0109 12:28:52.880652 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_start():329 Started the sasl client successfully
I0109 12:28:52.880681 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: 1 ok is 0, continue=1 interact=2
I0109 12:28:52.880690 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: -3 ok is 0, continue=1 interact=2

Preliminary tests of increasing the buffer size appear to resolve the issue, though it is not clear if doing this has any knock on effects. Also to note when calculating the buffer size, the SASL payload is base64 encoded (thereby contributing to buffer bloat), and the Windows MaxTokenSize is 48K, should you wish to consider interoperability with Active Directory.



 Comments   
Comment by Githook User [ 12/Feb/20 ]

Author:

{'username': 'kevinAlbs', 'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com'}

Message: CDRIVER-3486 do not run Cyrus on Windows 32 bit

C:\sasl\lib\sasl2.lib on Evergreen hosts is built for 64 bit.
We already test on 64 bit.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/1d9493ed5d77b9a7ef4d6159f3a4d73cf1b99479

Comment by Githook User [ 12/Feb/20 ]

Author:

{'username': 'kevinAlbs', 'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com'}

Message: CDRIVER-3486 fix UBSAN
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/f3499db2cf91591f147de77b19670da418ed383e

Comment by Githook User [ 12/Feb/20 ]

Author:

{'name': 'Kevin Albertson', 'username': 'kevinAlbs', 'email': 'kevin.albertson@mongodb.com'}

Message: CDRIVER-3486 alloc buffers for SASL

Instead of using a fixed size 4096 buffer, dynamically
allocate buffers used for base64 encoding and decoding.

Also use libbson's base64 encoding/decoding instead of
sasl's
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/e985349af754d3153f1fdfc3bc6df3dd4e4190eb

Generated at Wed Feb 07 21:18:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.