02200d55ea
As documented in Russell O'Connor's blog, Heimdal when compiled with some versions of gcc 9 and 10 would generate incorrect behaviors from _gssapi_verify_mic_arcfour(), _gssapi_unwrap_arcfour(), _gssapi_unwrap_iov_arcfour() and _gssapi_unwrap_iov_arcfour(). As a result of the bug, code of the form if (memcmp(a, "\x00\x00\x00\x00")) and cmp = memcmp(a, "\x00\x00\x00\x00") will be compiled as if it were written as if (strcmp(a, "\x00\x00\x00\x00")) and cmp = strcmp(a, "\x00\x00\x00\x00") but not if (memcmp(a, "\x00\x00\x00\x00") != 0) and cmp = (memcmp(a, "\x00\x00\x00\x00") != 0) Bad code is generated whenever one of the parameters to memcmp() is a constant with at least one NUL in the first four octets and the return value is used immediated without a boolean comparison. The gcc bug 95189 has since been fixed. This change applies a defensive programming technique to avoid the broken code generation. Change-Id: I1db2a561735317cb6cac66a0ec9caf5443e65e03 Link: https://r6.ca/blog/20200929T023701Z.html Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189 Reported-by: Buck Huppmann (buckh@pobox.com) <buckh@pobox.com>
Heimdal
Heimdal is an implementation of:
- ASN.1/DER,
- PKIX, and
- Kerberos.
For information how to install see here.
There are man pages for most of the commands.
Bug reports and bugs are appreciated. Use GitHub issues.
For more information see the project homepage https://heimdal.software/heimdal/ or the mailing lists:
heimdal-announce@heimdal.software low-volume announcement heimdal-discuss@heimdal.software high-volume discussion
send mail to heimdal-announce-subscribe@heimdal.software and heimdal-discuss-subscribe@heimdal.software respectively to subscribe.
Build Status