Cyrus SASL 2.1.25 gssapi dereferences null pointer
Matthew Hardin
mhardin at symas.com
Sat Jan 7 15:10:56 EST 2012
In sasl 2.1.25 gssapi module dumps core during gssapi authentication for OpenLDAP:
Analysis:
At line 373 in plugins/gssapi.c, function sasl_gss_encode declares *p
and sets it at the same time to text->encode_buf. The problem is that
this function can be called without a buffer, in which case the
subsequent call to _plug_buf_alloc allocates a new buffer (instead of
resizing an existing buffer) and sets test->encode_buf to point to it. The
problem is that p is never updated with the buffer address. This same
bug is likely to cause heap corruption if the buffer already exists and
has to be resized by _plug_buf_alloc, as the resized buffer will have a
new address and p will not be updated.
The fix is as follows:
diff -r cyrus-sasl-2.1.25/plugins/gssapi.c
cyrus-sasl-2.1.25.fixed/plugins/gssapi.c
373c373
< unsigned char * p = (unsigned char *) text->encode_buf;
---
> unsigned char * p;
386c386,387
<
---
>
> p = (unsigned char *) text->encode_buf;
Cheers,
-Matt
Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com
More information about the Cyrus-sasl
mailing list