mirror of
https://github.com/rkd77/elinks.git
synced 2024-12-04 14:46:47 -05:00
http_negotiate: Fix int* vs. size_t* type mismatch
http_negotiate_parse_data passed &token->length as the int *outlen
parameter of base64_decode_bin, which stores an int at that location.
However, gss_buffer_desc::length is size_t in all implementations that
I checked: MIT Kerberos Version 5 Release 1.10, libgssglue 0.4, and
GNU GSS 1.0.2. This mismatch could cause the build to fail:
.../src/protocol/http/http_negotiate.c: In function ‘http_negotiate_parse_data’:
.../src/protocol/http/http_negotiate.c:173:2: error: passing argument 3 of ‘base64_decode_bin’ from incompatible pointer type [-Werror]
In file included from .../src/protocol/http/http_negotiate.c:30:0:
.../src/util/base64.h:8:16: note: expected ‘int *’ but argument is of type ‘size_t *’
On 64-bit big-endian hosts, it might also cause the GSSAPI
implementation to read too much data from memory and disclose it to
some network server, or crash ELinks.
(cherry picked from elinks-0.12 commit d33c807dd9
)
This commit is contained in:
parent
1cba6b46e5
commit
ed6a33d318
@ -142,6 +142,7 @@ http_negotiate_parse_data(unsigned char *data, int type,
|
|||||||
{
|
{
|
||||||
int len = 0;
|
int len = 0;
|
||||||
unsigned char *end;
|
unsigned char *end;
|
||||||
|
int bytelen = 0;
|
||||||
|
|
||||||
if (data == NULL || *data == '\0')
|
if (data == NULL || *data == '\0')
|
||||||
return 0;
|
return 0;
|
||||||
@ -170,7 +171,8 @@ http_negotiate_parse_data(unsigned char *data, int type,
|
|||||||
if (!len)
|
if (!len)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
token->value = (void *) base64_decode_bin(data, len, &token->length);
|
token->value = (void *) base64_decode_bin(data, len, &bytelen);
|
||||||
|
token->length = bytelen; /* convert int to size_t */
|
||||||
|
|
||||||
if (!token->value)
|
if (!token->value)
|
||||||
return -1;
|
return -1;
|
||||||
|
Loading…
Reference in New Issue
Block a user