GSS-API Web

Apache module uses strings without null termination

Bug #1366135 reported by Mark Donnelly on 2014-09-05

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	GSS-API Web	Confirmed	High	Unassigned

Bug Description

The Apache module often uses strings out of a gss_buffer under the assumption that it's null-terminated when there's no guarantee of that. An example of this is:

gss_log(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", token.value);

Another example of this is within the get_gss_error() function:
   do {
      maj_stat = gss_display_status (&min_stat,
                              err_min,
         GSS_C_MECH_CODE,
         GSS_C_NULL_OID,
         &msg_ctx,
         &status_string);
      if (!GSS_ERROR(maj_stat)) {
  err_msg = apr_pstrcat(r->pool, err_msg,
          (first_pass) ? "" : ", ",
                        (char *) status_string.value,
          NULL);
  gss_release_buffer(&min_stat, &status_string);
  first_pass = 0;
      }
   } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);

Any time a string is incorrectly assumed to be null-terminated is a potential security problem.

Sam Hartman (hartmans) on 2014-09-17

affects:	moonshot → gssweb
Changed in gssweb:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Margaret Cullen (mrw42) wrote on 2017-05-15:

We should confirm that the gss code is not null terminating these strings.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.