From d78ad1fc906d1e03b8232e4c9aab831899c26b31 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 27 Dec 2013 11:38:10 -0500
Subject: Add zero termination when the buffer is a string
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This shouldn't be needed but apaprently there are a number of applications
like mod_auth_kerb that just blindly assume the out buffer returned by
gss_diplay_name() is a zero terminated string even though there is no
guarantee it is in the API. To avoid annoying misbehavior we forcibly zero
terminate strings copied and returned by the interposer.

Fixes: https://fedorahosted.org/gss-proxy/ticket/101

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
---
 proxy/src/client/gpm_import_and_canon_name.c |  3 ++-
 proxy/src/gp_conv.c                          | 21 +++++++++++++++++++++
 proxy/src/gp_conv.h                          |  1 +
 3 files changed, 24 insertions(+), 1 deletion(-)

(limited to 'proxy/src')

diff --git a/proxy/src/client/gpm_import_and_canon_name.c b/proxy/src/client/gpm_import_and_canon_name.c
index 68dc6ce..8e1204b 100644
--- a/proxy/src/client/gpm_import_and_canon_name.c
+++ b/proxy/src/client/gpm_import_and_canon_name.c
@@ -71,7 +71,8 @@ OM_uint32 gpm_display_name(OM_uint32 *minor_status,
         output_name->name_type.octet_string_val = NULL;
     }
 
-    ret = gp_copy_gssx_to_buffer(&in_name->display_name, output_name_buffer);
+    ret = gp_copy_gssx_to_string_buffer(&in_name->display_name,
+                                        output_name_buffer);
     if (ret) {
         ret_min = ret;
         ret_maj = GSS_S_FAILURE;
diff --git a/proxy/src/gp_conv.c b/proxy/src/gp_conv.c
index 0b177ee..a9f9669 100644
--- a/proxy/src/gp_conv.c
+++ b/proxy/src/gp_conv.c
@@ -184,6 +184,27 @@ int gp_copy_gssx_to_buffer(gssx_buffer *in, gss_buffer_t out)
     return 0;
 }
 
+int gp_copy_gssx_to_string_buffer(gssx_buffer *in, gss_buffer_t out)
+{
+    gss_buffer_desc empty = GSS_C_EMPTY_BUFFER;
+    char *str;
+
+    if (in->octet_string_len == 0) {
+        *out = empty;
+        return 0;
+    }
+
+    str = malloc(in->octet_string_len + 1);
+    if (!str) {
+        return ENOMEM;
+    }
+    memcpy(str, in->octet_string_val, in->octet_string_len);
+    str[in->octet_string_len] = '\0';
+    out->length = in->octet_string_len;
+    out->value = str;
+    return 0;
+}
+
 int gp_conv_buffer_to_gssx(gss_buffer_t in, gssx_buffer *out)
 {
     return gp_conv_octet_string(in->length, in->value, out);
diff --git a/proxy/src/gp_conv.h b/proxy/src/gp_conv.h
index c79010d..0ed6d91 100644
--- a/proxy/src/gp_conv.h
+++ b/proxy/src/gp_conv.h
@@ -43,6 +43,7 @@ int gp_conv_oid_to_gssx_alloc(gss_OID in, gssx_OID **out);
 void gp_conv_gssx_to_buffer(gssx_buffer *in, gss_buffer_t out);
 int gp_conv_gssx_to_buffer_alloc(gssx_buffer *in, gss_buffer_t *out);
 int gp_copy_gssx_to_buffer(gssx_buffer *in, gss_buffer_t out);
+int gp_copy_gssx_to_string_buffer(gssx_buffer *in, gss_buffer_t out);
 int gp_conv_buffer_to_gssx(gss_buffer_t in, gssx_buffer *out);
 int gp_conv_buffer_to_gssx_alloc(gss_buffer_t in, gssx_buffer **out);
 
-- 
cgit