From eff9f3c0a5d137cc0c6ebfc4a2af675e9cb42ea8 Mon Sep 17 00:00:00 2001 From: Przemko Robakowski Date: Tue, 12 Nov 2024 15:10:10 +0100 Subject: [PATCH] Cap maximum response length from KDC (#48808) --- lib/srv/desktop/rdp/rdpclient/src/network_client.rs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/lib/srv/desktop/rdp/rdpclient/src/network_client.rs b/lib/srv/desktop/rdp/rdpclient/src/network_client.rs index 48ce0ceabff72..246353d562e4a 100644 --- a/lib/srv/desktop/rdp/rdpclient/src/network_client.rs +++ b/lib/srv/desktop/rdp/rdpclient/src/network_client.rs @@ -54,6 +54,11 @@ impl NetworkClient { const DEFAULT_KERBEROS_PORT: u16 = 88; +// Maximum response size from KDC we accept, Windows uses maximum token size of 48kB and recommends +// not to exceed 64kB +// https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups#calculating-the-maximum-token-size +const MAX_RESPONSE_LENGTH: u32 = 65535; + impl NetworkClient { async fn send_tcp(&self, url: &Url, data: &[u8]) -> ConnectorResult> { let addr = format!( @@ -77,6 +82,14 @@ impl NetworkClient { reason_err!("NLA", "reading data from Key Distribution Center failed") })?; + if len > MAX_RESPONSE_LENGTH { + error!("KDC response too large: {} > {}", len, MAX_RESPONSE_LENGTH); + return Err(reason_err!( + "NLA", + "response from Key Distribution Center was too large" + )); + } + let mut buf = vec![0; len as usize + 4]; buf[0..4].copy_from_slice(&(len.to_be_bytes()));