1
0
mirror of https://github.com/rkd77/elinks.git synced 2024-12-04 14:46:47 -05:00

http_negotiate: Fix int* vs. size_t* type mismatch

http_negotiate_parse_data passed &token->length as the int *outlen
parameter of base64_decode_bin, which stores an int at that location.
However, gss_buffer_desc::length is size_t in all implementations that
I checked: MIT Kerberos Version 5 Release 1.10, libgssglue 0.4, and
GNU GSS 1.0.2.  This mismatch could cause the build to fail:

.../src/protocol/http/http_negotiate.c: In function ‘http_negotiate_parse_data’:
.../src/protocol/http/http_negotiate.c:173:2: error: passing argument 3 of ‘base64_decode_bin’ from incompatible pointer type [-Werror]
In file included from .../src/protocol/http/http_negotiate.c:30:0:
.../src/util/base64.h:8:16: note: expected ‘int *’ but argument is of type ‘size_t *’

On 64-bit big-endian hosts, it might also cause the GSSAPI
implementation to read too much data from memory and disclose it to
some network server, or crash ELinks.
(cherry picked from elinks-0.12 commit d33c807dd9)
This commit is contained in:
Kalle Olavi Niemitalo 2012-10-26 15:20:32 +03:00 committed by Kalle Olavi Niemitalo
parent 1cba6b46e5
commit ed6a33d318

View File

@ -142,6 +142,7 @@ http_negotiate_parse_data(unsigned char *data, int type,
{ {
int len = 0; int len = 0;
unsigned char *end; unsigned char *end;
int bytelen = 0;
if (data == NULL || *data == '\0') if (data == NULL || *data == '\0')
return 0; return 0;
@ -170,7 +171,8 @@ http_negotiate_parse_data(unsigned char *data, int type,
if (!len) if (!len)
return 0; return 0;
token->value = (void *) base64_decode_bin(data, len, &token->length); token->value = (void *) base64_decode_bin(data, len, &bytelen);
token->length = bytelen; /* convert int to size_t */
if (!token->value) if (!token->value)
return -1; return -1;