<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:18:51 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-3725] Uninitialized read in SSPI</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-3725</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3486&quot; title=&quot;libsasl buffer overflow with oversized kerberos msgs&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3486&quot;&gt;&lt;del&gt;CDRIVER-3486&lt;/del&gt;&lt;/a&gt; modified &lt;tt&gt;_mongoc_cluster_auth_node_sspi&lt;/tt&gt; to remove the 4096 byte limit on SASL payloads received from the server. &lt;tt&gt;buf&lt;/tt&gt; was changed from a fixed 4096 buffer to a dynamically allocated one. However, the base64 string was copied without the NULL terminator. And &lt;tt&gt;buf&lt;/tt&gt; is subsequently base64 decoded in &lt;tt&gt;_mongoc_sspi_base64_decode&lt;/tt&gt;. This uses &lt;tt&gt;CryptStringToBinaryA&lt;/tt&gt; to decode:&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;if (CryptStringToBinaryA (&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;          value, 0, CRYPT_STRING_BASE64, NULL, rlen, NULL, NULL)) {&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;The second argument is the input length, which is explicitly 0, and the expectation being that &lt;tt&gt;value&lt;/tt&gt; (aka &lt;tt&gt;buf&lt;/tt&gt;) is NULL terminated.&lt;/p&gt;

&lt;p&gt;As a note, I believe this may have been buggy prior to the changes of &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3486&quot; title=&quot;libsasl buffer overflow with oversized kerberos msgs&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3486&quot;&gt;&lt;del&gt;CDRIVER-3486&lt;/del&gt;&lt;/a&gt; as well. Though &lt;tt&gt;buf&lt;/tt&gt; was initially a zero-initialized buffer of 4096 bytes, it was not zero-initialized every iteration.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1386466">CDRIVER-3725</key>
            <summary>Uninitialized read in SSPI</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="2" iconUrl="https://jira.mongodb.org/images/icons/priorities/critical.svg">Critical - P2</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="kevin.albertson@mongodb.com">Kevin Albertson</assignee>
                                    <reporter username="kevin.albertson@mongodb.com">Kevin Albertson</reporter>
                        <labels>
                    </labels>
                <created>Tue, 23 Jun 2020 01:48:01 +0000</created>
                <updated>Sat, 28 Oct 2023 11:28:43 +0000</updated>
                            <resolved>Mon, 29 Jun 2020 19:38:45 +0000</resolved>
                                                    <fixVersion>1.17.0-rc0</fixVersion>
                    <fixVersion>1.17.0</fixVersion>
                                                        <votes>0</votes>
                                    <watches>1</watches>
                                                                                                                <comments>
                            <comment id="3281147" author="xgen-internal-githook" created="Sat, 11 Jul 2020 16:20:29 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Kevin Albertson&apos;, &apos;email&apos;: &apos;kevin.albertson@mongodb.com&apos;, &apos;username&apos;: &apos;kevinAlbs&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3725&quot; title=&quot;Uninitialized read in SSPI&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3725&quot;&gt;&lt;del&gt;CDRIVER-3725&lt;/del&gt;&lt;/a&gt; fix uninitialized read&lt;br/&gt;
Branch: r1.17&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/25b8729e8b1d600aefe1e434b859aee0dc0f77f2&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/25b8729e8b1d600aefe1e434b859aee0dc0f77f2&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3228829" author="xgen-internal-githook" created="Mon, 29 Jun 2020 19:38:32 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Kevin Albertson&apos;, &apos;email&apos;: &apos;kevin.albertson@mongodb.com&apos;, &apos;username&apos;: &apos;kevinAlbs&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3725&quot; title=&quot;Uninitialized read in SSPI&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3725&quot;&gt;&lt;del&gt;CDRIVER-3725&lt;/del&gt;&lt;/a&gt; fix uninitialized read&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/ec9c74dae2ff6e70ac850a3936378aa517098524&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/ec9c74dae2ff6e70ac850a3936378aa517098524&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3218749" author="kevin.albertson" created="Tue, 23 Jun 2020 01:58:27 +0000"  >&lt;p&gt;PR: &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/pull/643&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/pull/643&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="1092485">CDRIVER-3486</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                    <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5002K00000nnpCqQAI]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hxdxpb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>