Actions
Bug #8238
closed
xdr_callmsg() should clear residual bytes
Start date:
2017-05-15
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
External Bug:
Description
The xdr_callmsg() function is not zeroing the residual bytes for both credential and verifier in the in-line XDR encoding code path. This violates RFC 4506 (Section 4.10) and could leak some uninitialized and thus possibly sensitive data over the wire.
We should modify both implementations of xdr_callmsg() to properly zero the residual bytes. Similarly as xdr_replymsg() does for the verifier residual bytes.
Files
Updated by Marcel Telka over 6 years ago
To reproduce the problem run the attached test. It will show either leaked sensitive data (ee) or just a garbage (aa) in the encoded stream.
$ ./test 11223344 00000000 00000002 00000005 00000006 00000007 00000008 00000005 66666666 66eeeeee 00000009 00000005 77777777 77eeeeee $
Updated by Marcel Telka over 6 years ago
Updated by Marcel Telka over 6 years ago
- Status changed from In Progress to Pending RTI
Updated by Electric Monk over 6 years ago
- Status changed from Pending RTI to Closed
- % Done changed from 0 to 100
git commit 45681b8b0e59cad83c1547d78e25d4b7f218d635
commit 45681b8b0e59cad83c1547d78e25d4b7f218d635
Author: Marcel Telka <marcel@telka.sk>
Date: 2017-05-29T16:28:55.000Z
8238 xdr_callmsg() should clear residual bytes
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Yuri Pankov <yuripv@gmx.com>
Reviewed by: Gary Mills <gary_mills@fastmail.fm>
Approved by: Robert Mustacchi <rm@joyent.com>
Actions