1
0
mirror of https://github.com/rkd77/elinks.git synced 2025-01-03 14:57:44 -05:00

http_negotiate: Fix int* vs. size_t* type mismatch

http_negotiate_parse_data passed &token->length as the int *outlen
parameter of base64_decode_bin, which stores an int at that location.
However, gss_buffer_desc::length is size_t in all implementations that
I checked: MIT Kerberos Version 5 Release 1.10, libgssglue 0.4, and
GNU GSS 1.0.2.  This mismatch could cause the build to fail:

.../src/protocol/http/http_negotiate.c: In function ‘http_negotiate_parse_data’:
.../src/protocol/http/http_negotiate.c:173:2: error: passing argument 3 of ‘base64_decode_bin’ from incompatible pointer type [-Werror]
In file included from .../src/protocol/http/http_negotiate.c:30:0:
.../src/util/base64.h:8:16: note: expected ‘int *’ but argument is of type ‘size_t *’

On 64-bit big-endian hosts, it might also cause the GSSAPI
implementation to read too much data from memory and disclose it to
some network server, or crash ELinks.
This commit is contained in:
Kalle Olavi Niemitalo 2012-10-26 15:20:32 +03:00 committed by Kalle Olavi Niemitalo
parent 75e9367770
commit d33c807dd9

View File

@ -142,6 +142,7 @@ http_negotiate_parse_data(unsigned char *data, int type,
{ {
int len = 0; int len = 0;
unsigned char *end; unsigned char *end;
int bytelen = 0;
if (data == NULL || *data == '\0') if (data == NULL || *data == '\0')
return 0; return 0;
@ -170,7 +171,8 @@ http_negotiate_parse_data(unsigned char *data, int type,
if (!len) if (!len)
return 0; return 0;
token->value = (void *) base64_decode_bin(data, len, &token->length); token->value = (void *) base64_decode_bin(data, len, &bytelen);
token->length = bytelen; /* convert int to size_t */
if (!token->value) if (!token->value)
return -1; return -1;