Any info on CVE-2006-1721 ?
Kai Blin
blin at gmx.net
Wed Oct 4 05:47:04 EDT 2006
On Wednesday 04 October 2006 10:07, Biswatosh wrote:
> > > 2)What if,
> > > (a) realm != NULL
> > > and (b) strcmp(realm,text->realm) != 0
> > > and (c) text->realm[0] == 0 , are all true?
> >
> > This is a != 0, not a == 0. So we make sure that...
>
> Yes, SASL code checks text->realm[0] != 0, correct but
> my question was what if text->realm[0] == 0 ,and
> having realm !=NULL and realm not same as text->realm
Oh, I thought you had misread the patch. Sorry then.
> Where is this being validated? Why are we not making
> SETERROR(sparams->util,"realm changed: authentication
> aborted") then? The realm has certainly changed,is not
> it, even if text->realm is an empty string?
To be honest, I am no expert on this code, I've only looked into the ntlm
plugin a little, but from a quick look on the source code, I would say this:
text is a context_t struct used for the authentication. The sanity check you
were asking about is from digestmd5_server_mech_step2(). The context is
initialized digestmd5_server_mech_new(), where it is memset to 0. (line
1002). Unless it's set by some helper function I missed while reading
digestmd5_server_mech_step1(), it's not initialized on a new context when the
sanity check happens in digestmd5_server_mech_step2(). So on the first run on
a new context, text->realm[0] is always == 0.
Thus it would not make sense to fail on that. This only makes sure that a
context is not reused on a different realm.
Cheers,
Kai
--
Kai Blin, <blin At gmx Dot net>
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin/
--
Ninjas and Pirates agree: Cowboys suck!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20061004/135de19c/attachment.bin
More information about the Cyrus-sasl
mailing list