Apache module uses strings without null termination
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GSS-API Web |
Confirmed
|
High
|
Unassigned |
Bug Description
The Apache module often uses strings out of a gss_buffer under the assumption that it's null-terminated when there's no guarantee of that. An example of this is:
gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", token.value);
Another example of this is within the get_gss_error() function:
do {
maj_stat = gss_display_status (&min_stat,
&msg_ctx,
if (!GSS_ERROR(
err_msg = apr_pstrcat(
NULL);
gss_release_
first_pass = 0;
}
} while (!GSS_ERROR(
Any time a string is incorrectly assumed to be null-terminated is a potential security problem.
affects: | moonshot → gssweb |
Changed in gssweb: | |
status: | New → Confirmed |
importance: | Undecided → High |
We should confirm that the gss code is not null terminating these strings.