[squid-dev] [PATCH] Negotiate Kerberos authentication request size exceeds output buffer size
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 15 15:40:37 UTC 2015
On 16/04/2015 2:33 a.m., Tsantilas Christos wrote:
> Despite the "must match" comment, MAX_AUTHTOKEN_LEN in
> auth/UserRequest.h got out of sync with similar constants in Negotiate
> helpers. A 32KB buffer cannot fit some helper requests (e.g., those
> carrying Privilege Account Certificate information in the client's
> Kerberos ticket). Each truncated request blocks the negotiate helper
> channel, eventually causing helper queue overflow and possibly killing
> Squid.
>
> This patch increases MAX_AUTHTOKEN_LEN in UserRequest.h to 65535 which
> is also the maximum used by the negotiate helpers. The patch also adds
> checks to avoid sending truncated requests, treating them as helper
> errors instead.
+1. Please apply.
Amos
More information about the squid-dev
mailing list