|
 |
7500e1 |
From b6efe6b119b0c11314a324e8a2cf96fb74a9c983 Mon Sep 17 00:00:00 2001
|
|
|
7500e1 |
From: Sam Morris <sam@robots.org.uk>
|
|
|
7500e1 |
Date: Tue, 6 Apr 2021 18:42:19 +0100
|
|
|
7500e1 |
Subject: [PATCH 1/6] responder/common/responder_packet: handle large service
|
|
|
7500e1 |
tickets
|
|
|
7500e1 |
|
|
|
7500e1 |
Resolves: https://github.com/SSSD/sssd/issues/5568
|
|
|
7500e1 |
|
|
|
7500e1 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
7500e1 |
---
|
|
|
7500e1 |
src/responder/common/responder_packet.c | 11 +++++++++++
|
|
|
7500e1 |
src/responder/common/responder_packet.h | 1 +
|
|
|
7500e1 |
2 files changed, 12 insertions(+)
|
|
|
7500e1 |
|
|
|
7500e1 |
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
index f56d92276..d091332b0 100644
|
|
|
7500e1 |
--- a/src/responder/common/responder_packet.c
|
|
|
7500e1 |
+++ b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
@@ -229,6 +229,17 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
|
|
7500e1 |
if (ret != EOK) {
|
|
|
7500e1 |
return ret;
|
|
|
7500e1 |
}
|
|
|
7500e1 |
+ /* Kerberos tickets can get pretty big; since Windows Server 2012, the
|
|
|
7500e1 |
+ * limit is 48 KiB!
|
|
|
7500e1 |
+ */
|
|
|
7500e1 |
+ } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX)
|
|
|
7500e1 |
+ && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE
|
|
|
7500e1 |
+ && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) {
|
|
|
7500e1 |
+ sss_packet_set_len(packet, 0);
|
|
|
7500e1 |
+ ret = sss_packet_grow(packet, new_len);
|
|
|
7500e1 |
+ if (ret != EOK) {
|
|
|
7500e1 |
+ return ret;
|
|
|
7500e1 |
+ }
|
|
|
7500e1 |
} else {
|
|
|
7500e1 |
return EINVAL;
|
|
|
7500e1 |
}
|
|
|
7500e1 |
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
|
|
|
7500e1 |
index 509a22a9a..70bf1e8d3 100644
|
|
|
7500e1 |
--- a/src/responder/common/responder_packet.h
|
|
|
7500e1 |
+++ b/src/responder/common/responder_packet.h
|
|
|
7500e1 |
@@ -26,6 +26,7 @@
|
|
|
7500e1 |
|
|
|
7500e1 |
#define SSS_PACKET_MAX_RECV_SIZE 1024
|
|
|
7500e1 |
#define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE )
|
|
|
7500e1 |
+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 )
|
|
|
7500e1 |
|
|
|
7500e1 |
struct sss_packet;
|
|
|
7500e1 |
|
|
|
7500e1 |
--
|
|
|
7500e1 |
2.26.3
|
|
|
7500e1 |
|
|
|
7500e1 |
|
|
|
7500e1 |
From c6a76283580c25ff78b36b8b23efdabbdb3a2cc1 Mon Sep 17 00:00:00 2001
|
|
|
7500e1 |
From: Sam Morris <sam@robots.org.uk>
|
|
|
7500e1 |
Date: Wed, 7 Apr 2021 14:21:34 +0100
|
|
|
7500e1 |
Subject: [PATCH 2/6] responder/common/responder_packet: reduce duplication of
|
|
|
7500e1 |
code that handles larger-than-normal packets
|
|
|
7500e1 |
|
|
|
7500e1 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
7500e1 |
---
|
|
|
7500e1 |
src/responder/common/responder_packet.c | 40 +++++++++++++------------
|
|
|
7500e1 |
1 file changed, 21 insertions(+), 19 deletions(-)
|
|
|
7500e1 |
|
|
|
7500e1 |
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
index d091332b0..523c9ddd4 100644
|
|
|
7500e1 |
--- a/src/responder/common/responder_packet.c
|
|
|
7500e1 |
+++ b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
@@ -216,25 +216,27 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
|
|
7500e1 |
|
|
|
7500e1 |
new_len = sss_packet_get_len(packet);
|
|
|
7500e1 |
if (new_len > packet->memsize) {
|
|
|
7500e1 |
- /* Allow certificate based requests to use larger buffer but not
|
|
|
7500e1 |
- * larger than SSS_CERT_PACKET_MAX_RECV_SIZE. Due to the way
|
|
|
7500e1 |
- * sss_packet_grow() works the packet len must be set to '0' first and
|
|
|
7500e1 |
- * then grow to the expected size. */
|
|
|
7500e1 |
- if ((sss_packet_get_cmd(packet) == SSS_NSS_GETNAMEBYCERT
|
|
|
7500e1 |
- || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT)
|
|
|
7500e1 |
- && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE
|
|
|
7500e1 |
- && new_len < SSS_CERT_PACKET_MAX_RECV_SIZE) {
|
|
|
7500e1 |
- sss_packet_set_len(packet, 0);
|
|
|
7500e1 |
- ret = sss_packet_grow(packet, new_len);
|
|
|
7500e1 |
- if (ret != EOK) {
|
|
|
7500e1 |
- return ret;
|
|
|
7500e1 |
- }
|
|
|
7500e1 |
- /* Kerberos tickets can get pretty big; since Windows Server 2012, the
|
|
|
7500e1 |
- * limit is 48 KiB!
|
|
|
7500e1 |
- */
|
|
|
7500e1 |
- } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX)
|
|
|
7500e1 |
- && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE
|
|
|
7500e1 |
- && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) {
|
|
|
7500e1 |
+ enum sss_cli_command cmd = sss_packet_get_cmd(packet);
|
|
|
7500e1 |
+ size_t max_recv_size;
|
|
|
7500e1 |
+
|
|
|
7500e1 |
+ /* Allow certain packet types to use a larger buffer. */
|
|
|
7500e1 |
+ switch (cmd) {
|
|
|
7500e1 |
+ case SSS_NSS_GETNAMEBYCERT:
|
|
|
7500e1 |
+ case SSS_NSS_GETLISTBYCERT:
|
|
|
7500e1 |
+ max_recv_size = SSS_CERT_PACKET_MAX_RECV_SIZE;
|
|
|
7500e1 |
+ break;
|
|
|
7500e1 |
+
|
|
|
7500e1 |
+ case SSS_GSSAPI_SEC_CTX:
|
|
|
7500e1 |
+ max_recv_size = SSS_GSSAPI_PACKET_MAX_RECV_SIZE;
|
|
|
7500e1 |
+ break;
|
|
|
7500e1 |
+
|
|
|
7500e1 |
+ default:
|
|
|
7500e1 |
+ max_recv_size = 0;
|
|
|
7500e1 |
+ }
|
|
|
7500e1 |
+
|
|
|
7500e1 |
+ /* Due to the way sss_packet_grow() works, the packet len must be set
|
|
|
7500e1 |
+ * to 0 first, and then grown to the expected size. */
|
|
|
7500e1 |
+ if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) {
|
|
|
7500e1 |
sss_packet_set_len(packet, 0);
|
|
|
7500e1 |
ret = sss_packet_grow(packet, new_len);
|
|
|
7500e1 |
if (ret != EOK) {
|
|
|
7500e1 |
--
|
|
|
7500e1 |
2.26.3
|
|
|
7500e1 |
|
|
|
7500e1 |
|
|
|
7500e1 |
From 63f318f73c933dc2cb08cad2f911a52d2281c45b Mon Sep 17 00:00:00 2001
|
|
|
7500e1 |
From: Sam Morris <sam@robots.org.uk>
|
|
|
7500e1 |
Date: Wed, 7 Apr 2021 14:22:25 +0100
|
|
|
7500e1 |
Subject: [PATCH 3/6] responder/common/responder_packet: add debug logging to
|
|
|
7500e1 |
assist with errors caused by overlarge packets
|
|
|
7500e1 |
|
|
|
7500e1 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
7500e1 |
---
|
|
|
7500e1 |
src/responder/common/responder_packet.c | 3 +++
|
|
|
7500e1 |
1 file changed, 3 insertions(+)
|
|
|
7500e1 |
|
|
|
7500e1 |
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
index 523c9ddd4..01a4e640e 100644
|
|
|
7500e1 |
--- a/src/responder/common/responder_packet.c
|
|
|
7500e1 |
+++ b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
@@ -243,6 +243,9 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
|
|
7500e1 |
return ret;
|
|
|
7500e1 |
}
|
|
|
7500e1 |
} else {
|
|
|
7500e1 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
7500e1 |
+ "Refusing to read overlarge packet from fd %d (length %zu bytes, cmd %#04x)",
|
|
|
7500e1 |
+ fd, new_len, cmd);
|
|
|
7500e1 |
return EINVAL;
|
|
|
7500e1 |
}
|
|
|
7500e1 |
}
|
|
|
7500e1 |
--
|
|
|
7500e1 |
2.26.3
|
|
|
7500e1 |
|
|
|
7500e1 |
|
|
|
7500e1 |
From 37d331774385b2b871ba76fcdef6ceafd776efce Mon Sep 17 00:00:00 2001
|
|
|
7500e1 |
From: Sam Morris <sam@robots.org.uk>
|
|
|
7500e1 |
Date: Wed, 7 Apr 2021 14:23:03 +0100
|
|
|
7500e1 |
Subject: [PATCH 4/6] responder/common/responder_packet: further increase
|
|
|
7500e1 |
packet size for SSS_GSSAPI_SEC_CTX
|
|
|
7500e1 |
|
|
|
7500e1 |
Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB
|
|
|
7500e1 |
provides extra overhead should that increase in the future.
|
|
|
7500e1 |
|
|
|
7500e1 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
7500e1 |
---
|
|
|
7500e1 |
src/responder/common/responder_packet.h | 2 +-
|
|
|
7500e1 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
7500e1 |
|
|
|
7500e1 |
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
|
|
|
7500e1 |
index 70bf1e8d3..fd991969b 100644
|
|
|
7500e1 |
--- a/src/responder/common/responder_packet.h
|
|
|
7500e1 |
+++ b/src/responder/common/responder_packet.h
|
|
|
7500e1 |
@@ -26,7 +26,7 @@
|
|
|
7500e1 |
|
|
|
7500e1 |
#define SSS_PACKET_MAX_RECV_SIZE 1024
|
|
|
7500e1 |
#define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE )
|
|
|
7500e1 |
-#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 )
|
|
|
7500e1 |
+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( 128 * 1024 )
|
|
|
7500e1 |
|
|
|
7500e1 |
struct sss_packet;
|
|
|
7500e1 |
|
|
|
7500e1 |
--
|
|
|
7500e1 |
2.26.3
|
|
|
7500e1 |
|
|
|
7500e1 |
|
|
|
7500e1 |
From 5c9fa75bd0ffa02e31cbbf19ee68134ed384229a Mon Sep 17 00:00:00 2001
|
|
|
7500e1 |
From: Sam Morris <sam@robots.org.uk>
|
|
|
7500e1 |
Date: Wed, 7 Apr 2021 19:59:45 +0100
|
|
|
7500e1 |
Subject: [PATCH 5/6] responder/common/responder_packet: remove some
|
|
|
7500e1 |
unnecessary checks before growing packet
|
|
|
7500e1 |
|
|
|
7500e1 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
7500e1 |
---
|
|
|
7500e1 |
src/responder/common/responder_packet.c | 2 +-
|
|
|
7500e1 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
7500e1 |
|
|
|
7500e1 |
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
index 01a4e640e..c4b38f71b 100644
|
|
|
7500e1 |
--- a/src/responder/common/responder_packet.c
|
|
|
7500e1 |
+++ b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
|
|
7500e1 |
|
|
|
7500e1 |
/* Due to the way sss_packet_grow() works, the packet len must be set
|
|
|
7500e1 |
* to 0 first, and then grown to the expected size. */
|
|
|
7500e1 |
- if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) {
|
|
|
7500e1 |
+ if (new_len < max_recv_size) {
|
|
|
7500e1 |
sss_packet_set_len(packet, 0);
|
|
|
7500e1 |
ret = sss_packet_grow(packet, new_len);
|
|
|
7500e1 |
if (ret != EOK) {
|
|
|
7500e1 |
--
|
|
|
7500e1 |
2.26.3
|
|
|
7500e1 |
|
|
|
7500e1 |
|
|
|
7500e1 |
From b87619f9a917d6ed9ecdb5360c4bf242dce8e372 Mon Sep 17 00:00:00 2001
|
|
|
7500e1 |
From: Sam Morris <sam@robots.org.uk>
|
|
|
7500e1 |
Date: Thu, 8 Apr 2021 19:09:33 +0100
|
|
|
7500e1 |
Subject: [PATCH 6/6] responder/common/responder_packet: allow packets of max
|
|
|
7500e1 |
size
|
|
|
7500e1 |
|
|
|
7500e1 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
7500e1 |
---
|
|
|
7500e1 |
src/responder/common/responder_packet.c | 2 +-
|
|
|
7500e1 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
7500e1 |
|
|
|
7500e1 |
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
index c4b38f71b..f2223c665 100644
|
|
|
7500e1 |
--- a/src/responder/common/responder_packet.c
|
|
|
7500e1 |
+++ b/src/responder/common/responder_packet.c
|
|
|
7500e1 |
@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
|
|
7500e1 |
|
|
|
7500e1 |
/* Due to the way sss_packet_grow() works, the packet len must be set
|
|
|
7500e1 |
* to 0 first, and then grown to the expected size. */
|
|
|
7500e1 |
- if (new_len < max_recv_size) {
|
|
|
7500e1 |
+ if (new_len <= max_recv_size) {
|
|
|
7500e1 |
sss_packet_set_len(packet, 0);
|
|
|
7500e1 |
ret = sss_packet_grow(packet, new_len);
|
|
|
7500e1 |
if (ret != EOK) {
|
|
|
7500e1 |
--
|
|
|
7500e1 |
2.26.3
|
|
|
7500e1 |
|