[CDRIVER-3725] Uninitialized read in SSPI Created: 23/Jun/20  Updated: 28/Oct/23  Resolved: 29/Jun/20

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.17.0-rc0, 1.17.0

Type: Bug Priority: Critical - P2
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-3486 libsasl buffer overflow with oversize... Closed
Case:

 Description   

CDRIVER-3486 modified _mongoc_cluster_auth_node_sspi to remove the 4096 byte limit on SASL payloads received from the server. buf was changed from a fixed 4096 buffer to a dynamically allocated one. However, the base64 string was copied without the NULL terminator. And buf is subsequently base64 decoded in _mongoc_sspi_base64_decode. This uses CryptStringToBinaryA to decode:

if (CryptStringToBinaryA (
          value, 0, CRYPT_STRING_BASE64, NULL, rlen, NULL, NULL)) {

The second argument is the input length, which is explicitly 0, and the expectation being that value (aka buf) is NULL terminated.

As a note, I believe this may have been buggy prior to the changes of CDRIVER-3486 as well. Though buf was initially a zero-initialized buffer of 4096 bytes, it was not zero-initialized every iteration.



 Comments   
Comment by Githook User [ 11/Jul/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3725 fix uninitialized read
Branch: r1.17
https://github.com/mongodb/mongo-c-driver/commit/25b8729e8b1d600aefe1e434b859aee0dc0f77f2

Comment by Githook User [ 29/Jun/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3725 fix uninitialized read
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/ec9c74dae2ff6e70ac850a3936378aa517098524

Comment by Kevin Albertson [ 23/Jun/20 ]

PR: https://github.com/mongodb/mongo-c-driver/pull/643

Generated at Wed Feb 07 21:18:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.