[squid-dev] [PATCH] Negotiate Kerberos authentication request size exceeds output buffer size

Tsantilas Christos chtsanti at users.sourceforge.net
Thu Apr 16 08:51:55 UTC 2015


A more complete patch.It handles the cases where the snprintf return an 
error.
If no objections I will apply this one to trunk.





On 04/15/2015 05:33 PM, Tsantilas Christos wrote:
> Despite the "must match" comment, MAX_AUTHTOKEN_LEN in
> auth/UserRequest.h got out of sync with similar constants in Negotiate
> helpers. A 32KB buffer cannot fit some helper requests (e.g., those
> carrying Privilege Account Certificate information in the client's
> Kerberos ticket). Each truncated  request blocks the negotiate helper
> channel, eventually causing helper queue overflow and possibly killing
> Squid.
>
> This patch increases MAX_AUTHTOKEN_LEN in UserRequest.h to 65535 which
> is also the maximum used by the negotiate helpers. The patch also adds
> checks to avoid sending truncated requests, treating them as helper
> errors instead.
>
> This is a Measurement Factory project
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: max_auth_token_length-t4.patch
Type: text/x-patch
Size: 10967 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150416/e4fbbe0f/attachment.bin>


More information about the squid-dev mailing list