Cyrus SASL 2.1.25 gssapi dereferences null pointer

Matthew Hardin mhardin at symas.com
Sat Jan 7 15:10:56 EST 2012


In sasl 2.1.25 gssapi module dumps core during gssapi authentication for OpenLDAP:

Analysis:

At line 373 in plugins/gssapi.c, function sasl_gss_encode declares *p
and sets it at the same time to text->encode_buf. The problem is that
this function can be called without a buffer, in which case the
subsequent call to _plug_buf_alloc allocates a new buffer (instead of
resizing an existing buffer) and sets test->encode_buf to point to it. The
problem is that p is never updated with the buffer address. This same
bug is likely to cause heap corruption if the buffer already exists and 
has to be resized by _plug_buf_alloc, as the resized buffer will have a 
new address and p will not be updated.

The fix is as follows:

diff -r cyrus-sasl-2.1.25/plugins/gssapi.c
cyrus-sasl-2.1.25.fixed/plugins/gssapi.c
373c373
< unsigned char * p = (unsigned char *) text->encode_buf;
---
> unsigned char * p;
386c386,387
<
---
>
> p = (unsigned char *) text->encode_buf;


Cheers,

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com


More information about the Cyrus-sasl mailing list