From 2e0381d556307f63643b8b580e165bf0baec5d1f Mon Sep 17 00:00:00 2001 From: Przemko Robakowski Date: Thu, 7 Nov 2024 13:39:55 +0100 Subject: [PATCH] Cap maximum response length from KDC --- lib/srv/desktop/rdp/rdpclient/src/network_client.rs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/lib/srv/desktop/rdp/rdpclient/src/network_client.rs b/lib/srv/desktop/rdp/rdpclient/src/network_client.rs index 48ce0ceabff72..246353d562e4a 100644 --- a/lib/srv/desktop/rdp/rdpclient/src/network_client.rs +++ b/lib/srv/desktop/rdp/rdpclient/src/network_client.rs @@ -54,6 +54,11 @@ impl NetworkClient { const DEFAULT_KERBEROS_PORT: u16 = 88; +// Maximum response size from KDC we accept, Windows uses maximum token size of 48kB and recommends +// not to exceed 64kB +// https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups#calculating-the-maximum-token-size +const MAX_RESPONSE_LENGTH: u32 = 65535; + impl NetworkClient { async fn send_tcp(&self, url: &Url, data: &[u8]) -> ConnectorResult> { let addr = format!( @@ -77,6 +82,14 @@ impl NetworkClient { reason_err!("NLA", "reading data from Key Distribution Center failed") })?; + if len > MAX_RESPONSE_LENGTH { + error!("KDC response too large: {} > {}", len, MAX_RESPONSE_LENGTH); + return Err(reason_err!( + "NLA", + "response from Key Distribution Center was too large" + )); + } + let mut buf = vec![0; len as usize + 4]; buf[0..4].copy_from_slice(&(len.to_be_bytes()));