[squid-dev] [PATCH] Negotiate Kerberos authentication request size exceeds output buffer size
Tsantilas Christos
chtsanti at users.sourceforge.net
Wed Apr 15 14:33:36 UTC 2015
Despite the "must match" comment, MAX_AUTHTOKEN_LEN in
auth/UserRequest.h got out of sync with similar constants in Negotiate
helpers. A 32KB buffer cannot fit some helper requests (e.g., those
carrying Privilege Account Certificate information in the client's
Kerberos ticket). Each truncated request blocks the negotiate helper
channel, eventually causing helper queue overflow and possibly killing
Squid.
This patch increases MAX_AUTHTOKEN_LEN in UserRequest.h to 65535 which
is also the maximum used by the negotiate helpers. The patch also adds
checks to avoid sending truncated requests, treating them as helper
errors instead.
This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: max_auth_token_length-t3.patch
Type: text/x-patch
Size: 10150 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150415/ee0bc628/attachment-0001.bin>
More information about the squid-dev
mailing list