On Thu, Feb 26, 2009 at 11:56:24AM +0000, Daniel P. Berrange wrote:
diff -r 0eb0b12c0673 vnc-auth-sasl.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/vnc-auth-sasl.c Mon Feb 23 13:40:03 2009 +0000
+
+#include "vnc.h"
+
+/* Max amount of data we send/recv for SASL steps to prevent DOS */
+#define SASL_DATA_MAX_LEN (1024 * 1024)
+
FYI, last time I posted this series, a question was raised about whether
this limit is large enough for Windows Kerberos tickets with lots of
groups. I've done a little googling and found this MicroSoft technote
http://technet.microsoft.com/en-us/library/cc756101.aspx
"Recommended Maximum Kerberos Settings
The maximum recommended size for a Kerberos ticket is 65,535 bytes,
which is configured through the MaxTokenSize REG_DWORD value in the
registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa\Kerberos\Parameters).
Increasing this value from the default may cause errors, particularly
when Web browsers or Web servers are used. "
Given that Microsoft recommends a max size of 65,535 bytes I think we
should be OK with this 1MB limit on a SASL auth step. In any case this
is only a server side sanity check, not a fundamental part of the auth
protocol definition, so we can easily increase in future should it become
a problem