On 3/18/21 4:53 PM, Tony Rodriguez wrote:
> I am new to kerberos. How can I sanity test that recursion within
> asn.1_encode stops after 31? Does kerberos have any command line
> utilities to test asn.1_encode? If so, what are they and which
> parameters must I pass? If not, does someone have example code that I
> can compile to test the recursion level logic works as expected?
I've attached the test program I wrote to verify the problem. Run it
with a numeric buffer size argument. With the unpatched code I was able
to produce a stack overflow with a buffer size of 90000.
#include <krb5.h>
#include <assert.h>
#include <stdlib.h>
krb5_error_code
decode_krb5_ap_req(const krb5_data *output, krb5_ap_req **rep);
int main(int argc, char **argv)
{
char *buf;
size_t i, len = atoi(argv[1]);
krb5_data d;
assert(len % 2 == 0);
buf = malloc(len);
for (i = 0; i < len; i += 2) {
buf[i] = 0x6e;
buf[i + 1] = 0x80; /* indefinite length */
}
d.data = buf;
d.length = len;
#ifdef HEIMDAL
krb5_ap_req r;
krb5_decode_ap_req(NULL, &d, &r);
#else
krb5_ap_req *r;
decode_krb5_ap_req(&d, &r);
#endif
return 0;
}
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
