Merge pull request #101 from abbra/increase-gss-buffers

Increase buffer size for GSSAPI exchanges

.cirrus.yml

@@ -3,7 +3,7 @@ env:
 
 freebsd_13_task:
   freebsd_instance:
-    image_family: freebsd-13-0
+    image_family: freebsd-13-3
   install_script:
     - pkg install -y autoconf automake
     - ./package/setup-configure

conserver.cf/conserver.cf.man.in

@@ -385,11 +385,14 @@ Turn redirection on or off (see the
 .B \-R
 command-line flag).
 .TP
-\f3reinitcheck\fP \f2number\fP
+\f3reinitcheck\fP \f2number\fP[\f3s\fP|\f3m\fP]
 .br
 Set the number of minutes used between reinitialization checks (see the
 .B \-O
 command-line flag).
+If an `s' or `m' is used after
+.IR number ,
+the specified time is interpreted as seconds or minutes.
 .TP
 \f3secondaryport\fP \f2number\fP|\f2name\fP
 .br

conserver/Makefile.in

@@ -1,6 +1,7 @@
 ### Path settings
 datarootdir = @datarootdir@
 srcdir = @srcdir@
+VPATH = @srcdir@
 top_srcdir = @top_srcdir@
 prefix = @prefix@
 exec_prefix = @exec_prefix@

conserver/access.c

@@ -146,6 +146,12 @@ AccType(INADDR_STYPE *addr, char **peername)
     so = sizeof(*addr);
 
 #if USE_IPV6
+    /*
+     * XXX where is the TRUST_REVERSE_DNS support for IPv6???
+     *
+     * XXX IPv4 should use getnameinfo() et al as well
+     * (if available, they are in IEEE Std 1003.1g-2000)
+     */
     error =
 	getnameinfo((struct sockaddr *)addr, so, ipaddr, sizeof(ipaddr),
 		    NULL, 0, NI_NUMERICHOST);
@@ -153,7 +159,11 @@ AccType(INADDR_STYPE *addr, char **peername)
 	Error("AccType(): getnameinfo failed: %s", gai_strerror(error));
 	goto common_ret;
     }
-    CONDDEBUG((1, "AccType(): ip=%s", ipaddr));
+    CONDDEBUG((1, "AccType(): ip=%s (%s)", ipaddr,
+	       addr->ss_family == AF_UNSPEC ? "AF_UNSPEC" : 
+	       addr->ss_family == AF_LOCAL ? "AF_LOCAL" : 
+	       addr->ss_family == AF_INET ? "AF_INET" : 
+	       addr->ss_family == AF_INET6 ? "AF_INET6" : "IF_???"));
 
     error =
 	getnameinfo((struct sockaddr *)addr, so, host, sizeof(host), NULL,
@@ -189,7 +199,7 @@ AccType(INADDR_STYPE *addr, char **peername)
   common_ret:
     if (config->loghostnames == FLAGTRUE && !error)
 	*peername = StrDup(host);
-#else
+#else  /* !USE_IPV6 */
 # if TRUST_REVERSE_DNS
     /* if we trust reverse dns, we get the names associated with
      * the address we're checking and then check each of those

conserver/client.h

@@ -89,6 +89,7 @@ typedef struct client {		/* Connection Information:              */
     FLAG confirmed;		/* confirm state                        */
     CLIENTSTATE cState;		/* state needing confirmation           */
     char cOption;		/* option initiating the confirmation   */
+    size_t tokenSize;		/* buffer size for GSSAPI token         */
 } CONSCLIENT;
 
 extern void Replay(CONSENT *, CONSFILE *, unsigned short);

conserver/consent.c

@@ -798,6 +798,8 @@ ConsDown(CONSENT *pCE, FLAG downHard, FLAG force)
     if (pCE->type == EXEC && pCE->execSlaveFD != 0) {
 	close(pCE->execSlaveFD);
 	pCE->execSlaveFD = 0;
+	free(pCE->execSlave);
+	pCE->execSlave = NULL;
     }
     pCE->fup = 0;
     pCE->nolog = 0;
@@ -913,6 +915,9 @@ ConsInit(CONSENT *pCE)
 	case HOST:
 	    {
 #if USE_IPV6
+		/* XXX IPv4 should use getaddrinfo() and getnameinfo() as well,
+		 * (if available, they are in IEEE Std 1003.1g-2000)
+		 */
 		int error;
 		char host[NI_MAXHOST];
 		char serv[NI_MAXSERV];
@@ -927,7 +932,7 @@ ConsInit(CONSENT *pCE)
 		Sleep(100000);	/* Not all terminal servers can keep up */
 
 #if USE_IPV6
-# if HAVE_MEMSET
+# if HAVE_MEMSET		/* XXX memset() is C89!!! */
 		memset(&hints, 0, sizeof(hints));
 # else
 		bzero(&hints, sizeof(hints));
@@ -964,8 +969,12 @@ ConsInit(CONSENT *pCE)
 # if HAVE_SETSOCKOPT
 			if (setsockopt
 			    (cofile, SOL_SOCKET, SO_KEEPALIVE,
-			     (char *)&one, sizeof(one)) < 0)
+			     (char *)&one, sizeof(one)) < 0) {
+			    Error
+				("[%s] %s:%s setsockopt(%u,SO_KEEPALIVE): %s",
+				 pCE->server, host, serv, cofile, strerror(errno));
 			    goto fail;
+			}
 # endif
 			if (!SetFlags(cofile, O_NONBLOCK, 0))
 			    goto fail;
@@ -973,20 +982,25 @@ ConsInit(CONSENT *pCE)
 			ret = connect(cofile, rp->ai_addr, rp->ai_addrlen);
 			if (ret == 0 || errno == EINPROGRESS)
 			    goto success;
-
+			Error("[%s] %s:%s connect(%u): %s",
+			      pCE->server, host, serv, cofile, strerror(errno));
 		      fail:
 			close(cofile);
+		    } else {
+			Error
+			    ("[%s] %s:%s socket(AF_INET,SOCK_STREAM): %s",
+			     pCE->server, host, serv, strerror(errno));
 		    }
 		    rp = rp->ai_next;
 		}
 
-		Error("[%s]: Unable to connect to %s:%s", pCE->server,
-		      host, serv);
+		Error("[%s] Unable to connect to %s:%s, forcing down", pCE->server,
+		      pCE->host, serv);
 		ConsDown(pCE, FLAGTRUE, FLAGTRUE);
 		return;
 	      success:
 		freeaddrinfo(ai);
-#else
+#else  /* !USE_IPV6 */
 # if HAVE_MEMSET
 		memset((void *)&port, 0, sizeof(port));
 # else
@@ -1308,7 +1322,7 @@ AddrsMatch(char *addr1, char *addr2)
 {
 #if USE_IPV6
     int error, ret = 0;
-    struct addrinfo *ai1, *ai2, hints;
+    struct addrinfo *ai1, *ai2, *rp1, *rp2, hints;
 #else
     /* so, since we might use inet_addr, we're going to use
      * (in_addr_t)(-1) as a sign of an invalid ip address.
@@ -1346,17 +1360,19 @@ AddrsMatch(char *addr1, char *addr2)
 	goto done;
     }
 
-    for (; ai1 != NULL; ai1 = ai1->ai_next) {
-	for (; ai2 != NULL; ai2 = ai2->ai_next) {
-	    if (ai1->ai_addr->sa_family != ai2->ai_addr->sa_family)
+    rp1 = ai1;
+    rp2 = ai2;
+    for (; rp1 != NULL; rp1 = rp1->ai_next) {
+	for (; rp2 != NULL; rp2 = rp2->ai_next) {
+	    if (rp1->ai_addr->sa_family != rp2->ai_addr->sa_family)
 		continue;
 
 	    if (
 # if HAVE_MEMCMP
-		   memcmp(&ai1->ai_addr, &ai2->ai_addr,
+		   memcmp(&rp1->ai_addr, &rp2->ai_addr,
 			  sizeof(struct sockaddr_storage))
 # else
-		   bcmp(&ai1->ai_addr, &ai2->ai_addr,
+		   bcmp(&rp1->ai_addr, &rp2->ai_addr,
 			sizeof(struct sockaddr_storage))
 # endif
 		   == 0) {

conserver/cutil.c

@@ -262,7 +262,7 @@ DestroyString(STRING *msg)
 {
     if (msg->prev == (STRING *)0 && msg->next == (STRING *)0 &&
 	allStrings != msg) {
-	CONDDEBUG((1, "DestroyString(): 0x%lx non-pooled string destroyed",
+	CONDDEBUG((3, "DestroyString(): 0x%lx non-pooled string destroyed",
 		   (void *)msg, stringCount));
     } else {
 	if (msg->prev != (STRING *)0)
@@ -273,7 +273,7 @@ DestroyString(STRING *msg)
 	    allStrings = msg->next;
 	}
 	stringCount--;
-	CONDDEBUG((1,
+	CONDDEBUG((3,
 		   "DestroyString(): 0x%lx string destroyed (count==%d)",
 		   (void *)msg, stringCount));
     }
@@ -296,7 +296,7 @@ AllocString(void)
     allStrings = s;
     InitString(s);
     stringCount++;
-    CONDDEBUG((1, "AllocString(): 0x%lx created string #%d", (void *)s,
+    CONDDEBUG((3, "AllocString(): 0x%lx created string #%d", (void *)s,
 	       stringCount));
     return s;
 }
@@ -708,7 +708,7 @@ FileUnopen(CONSFILE *cfp)
 	    break;
 #if HAVE_OPENSSL
 	case SSLSocket:
-	    retval = -1;
+	    retval = cfp->fd;
 	    break;
 #endif
 	default:
@@ -2415,7 +2415,7 @@ GetWord(FILE *fp, int *line, short spaceok, STRING *word)
     while ((c = fgetc(fp)) != EOF) {
 	if (c == '\n') {
 	    (*line)++;
-	    if (checkInc == -2)
+	    if (checkInc == -2 || checkInc == 0)
 		checkInc = -1;
 	}
 	if (comment) {
@@ -2592,11 +2592,17 @@ ParseFile(char *filename, FILE *fp, int level)
 			  strerror(errno));
 	    } else {
 		char *fname;
+		char *sfile;
+		int sline;
 		/* word gets destroyed, so save the name */
 		fname = StrDup(word->string);
+		sfile = file;
+		sline = line;
 		ParseFile(fname, lfp, level + 1);
 		fclose(lfp);
 		free(fname);
+		file = sfile;
+		line = sline;
 	    }
 	} else {
 	    switch (state) {

conserver/group.c

@@ -1023,7 +1023,7 @@ ReUp(GRPENT *pGE, short automatic)
     /* update all the timers */
     if (automatic == 0 || automatic == 2) {
 	if (config->reinitcheck)
-	    timers[T_REINIT] = tyme + (config->reinitcheck * 60);
+	    timers[T_REINIT] = tyme + config->reinitcheck;
     }
     if (!fNoautoreup)
 	timers[T_AUTOUP] = tyme + 60;
@@ -1964,13 +1964,19 @@ int
 AttemptGSSAPI(CONSCLIENT *pCL)
 {
     int nr, ret = 0;
-    char buf[1024];
+    char *buf = NULL;
     gss_buffer_desc sendtok, recvtok, dbuf;
     gss_ctx_id_t gssctx = GSS_C_NO_CONTEXT;
     OM_uint32 stmaj, stmin, mctx, dmin;
     gss_name_t user = 0;
 
-    if ((nr = FileRead(pCL->fd, buf, sizeof(buf))) <= 0) {
+    buf = malloc(pCL->tokenSize);
+    if (buf == NULL) {
+	Error("Unable to allocate a buffer for GSSAPI token");
+	return -1;
+    }
+    if ((nr = FileRead(pCL->fd, buf, pCL->tokenSize)) <= 0) {
+	free(buf);
 	return nr;
     }
     recvtok.value = buf;
@@ -2009,6 +2015,8 @@ AttemptGSSAPI(CONSCLIENT *pCL)
 	    Error("GSSAPI didn't work, %*s", dbuf.length, dbuf.value);
 	    ret = -1;
     }
+
+    free(buf);
     return ret;
 }
 #endif
@@ -2175,7 +2183,7 @@ CommandExamine(GRPENT *pGE, CONSCLIENT *pCLServing, CONSENT *pCEServing,
 	char p = '\000';
 	switch (pCE->type) {
 	    case EXEC:
-		d = pCE->execSlave;
+		d = (pCE->execSlaveFD > 0) ? pCE->execSlave : "(inactive)";
 		b = "Local";
 		p = ' ';
 		break;
@@ -2343,7 +2351,8 @@ CommandInfo(GRPENT *pGE, CONSCLIENT *pCLServing, CONSENT *pCEServing,
 	    case EXEC:
 		FilePrint(pCLServing->fd, FLAGTRUE, "|:%s,%lu,%s,%d:",
 			  (pCE->exec != (char *)0 ? pCE->exec : "/bin/sh"),
-			  (unsigned long)pCE->ipid, pCE->execSlave,
+			  (unsigned long)pCE->ipid,
+			  (pCE->execSlaveFD > 0) ? pCE->execSlave : "(inactive)",
 			  FileFDNum(pCE->cofile));
 		break;
 #if HAVE_FREEIPMI
@@ -3097,12 +3106,31 @@ DoClientRead(GRPENT *pGE, CONSCLIENT *pCLServing)
 		    }
 #endif
 #if HAVE_GSSAPI
+#define MAX_GSSAPI_TOKSIZE 64*1024
 		} else if (pCLServing->iState == S_IDENT &&
 			   strcmp(pcCmd, "gssapi") == 0) {
-		    FileWrite(pCLServing->fd, FLAGFALSE, "ok\r\n", -1);
-		    /* Change the I/O mode right away, we'll do the read
-		     * and accept when the select gets back to us */
-		    pCLServing->ioState = INGSSACCEPT;
+		    if (pcArgs == (char *)0) {
+			FileWrite(pCLServing->fd, FLAGFALSE,
+				  "gssapi requires argument\r\n", -1);
+		    } else {
+			FileWrite(pCLServing->fd, FLAGFALSE, "ok\r\n", -1);
+			/* Read the token size but limit it to 64K,
+			 * that's practical limit for GSSAPI krb5 mechanism.
+			 *
+			 * The client connection will be rejected for large
+			 * requests as server will not be able to parse
+			 * incomplete ASN.1 but this is intentional. */
+			pCLServing->tokenSize = (size_t) strtol(pcArgs, NULL, 10);
+			if (pCLServing->tokenSize > MAX_GSSAPI_TOKSIZE) {
+			    FileWrite(pCLServing->fd, FLAGFALSE,
+			              "gssapi token size too large\r\n", -1);
+			    pCLServing->tokenSize = MAX_GSSAPI_TOKSIZE;
+			}
+
+			/* Change the I/O mode right away, we'll do the read
+			 * and accept when the select gets back to us */
+			pCLServing->ioState = INGSSACCEPT;
+		    }
 #endif
 		} else if (pCLServing->iState == S_IDENT &&
 			   strcmp(pcCmd, "login") == 0) {
@@ -3242,7 +3270,6 @@ DoClientRead(GRPENT *pGE, CONSCLIENT *pCLServing)
 			    TagLogfileAct(pCEServing, "%s attached",
 					  pCLServing->acid->string);
 			} else {
-			    ClientWantsWrite(pCLServing);
 			    FileWrite(pCLServing->fd, FLAGFALSE,
 				      "[spy]\r\n", -1);
 			}
@@ -3789,7 +3816,9 @@ DoClientRead(GRPENT *pGE, CONSCLIENT *pCLServing)
 
 			    case 'c':
 				if (!pCLServing->fwr) {
-				    goto unknownchar;
+				    FileWrite(pCLServing->fd, FLAGFALSE,
+					      "attach to toggle flow control]\r\n", -1);
+				    continue;
 				}
 				CommandChangeFlow(pGE, pCLServing,
 						  pCEServing, tyme);
@@ -3797,7 +3826,9 @@ DoClientRead(GRPENT *pGE, CONSCLIENT *pCLServing)
 
 			    case 'd':	/* down a console       */
 				if (!pCLServing->fwr) {
-				    goto unknownchar;
+				    FileWrite(pCLServing->fd, FLAGFALSE,
+					      "attach to down console]\r\n", -1);
+				    continue;
 				}
 				CommandDown(pGE, pCLServing, pCEServing,
 					    tyme);
@@ -3836,7 +3867,9 @@ DoClientRead(GRPENT *pGE, CONSCLIENT *pCLServing)
 
 			    case 'L':
 				if (!pCLServing->fwr) {
-				    goto unknownchar;
+				    FileWrite(pCLServing->fd, FLAGFALSE,
+					      "attach to toggle logging]\r\n", -1);
+				    continue;
 				}
 				CommandLogging(pGE, pCLServing, pCEServing,
 					       tyme);
@@ -3844,7 +3877,9 @@ DoClientRead(GRPENT *pGE, CONSCLIENT *pCLServing)
 
 			    case 'l':	/* halt character 1     */
 				if (!pCLServing->fwr) {
-				    goto unknownchar;
+				    FileWrite(pCLServing->fd, FLAGFALSE,
+					      "attach to send break]\r\n", -1);
+				    continue;
 				}
 				if (pCEServing->fronly) {
 				    FileWrite(pCLServing->fd, FLAGFALSE,
@@ -3923,10 +3958,12 @@ DoClientRead(GRPENT *pGE, CONSCLIENT *pCLServing)
 				break;
 
 			    case 's':	/* spy mode */
-				if (!pCLServing->fwr) {
-				    goto unknownchar;
-				}
 				pCLServing->fwantwr = 0;
+				if (!pCLServing->fwr) {
+				    FileWrite(pCLServing->fd, FLAGFALSE,
+					      "ok]\r\n", -1);
+				    continue;
+				}
 				BumpClient(pCEServing, (char *)0);
 				TagLogfileAct(pCEServing, "%s detached",
 					      pCLServing->acid->string);
@@ -3988,7 +4025,9 @@ DoClientRead(GRPENT *pGE, CONSCLIENT *pCLServing)
 
 			    case '!':	/* invoke a task */
 				if (!pCLServing->fwr) {
-				    goto unknownchar;
+				    FileWrite(pCLServing->fd, FLAGFALSE,
+					      "attach to invoke task]\r\n", -1);
+				    continue;
 				}
 				pCLServing->iState = S_TASK;
 				FileWrite(pCLServing->fd, FLAGFALSE,
@@ -5038,7 +5077,7 @@ Spawn(GRPENT *pGE, int msfd)
     struct sockaddr_in lstn_port;
 # endif
 # if HAVE_SETSOCKOPT
-    int true = 1;
+    int sock_opt_true = 1;
 # endif
     unsigned short portInc = 0;
 #else
@@ -5065,8 +5104,8 @@ Spawn(GRPENT *pGE, int msfd)
 	}
 # if HAVE_SETSOCKOPT
 	if (setsockopt
-	    (sfd, SOL_SOCKET, SO_REUSEADDR, (char *)&true,
-	     sizeof(true)) < 0) {
+	    (sfd, SOL_SOCKET, SO_REUSEADDR, (char *)&sock_opt_true,
+	     sizeof(sock_opt_true)) < 0) {
 	    Error("Spawn(): setsockopt(%u,SO_REUSEADDR): %s", sfd,
 		  strerror(errno));
 	    return;
@@ -5197,7 +5236,7 @@ Spawn(GRPENT *pGE, int msfd)
     }
 # if HAVE_SETSOCKOPT
     if (setsockopt
-	(sfd, SOL_SOCKET, SO_REUSEADDR, (char *)&true, sizeof(true))
+	(sfd, SOL_SOCKET, SO_REUSEADDR, (char *)&sock_opt_true, sizeof(sock_opt_true))
 	< 0) {
 	Error("Spawn(): setsockopt(%u,SO_REUSEADDR): %s", sfd,
 	      strerror(errno));

conserver/main.c

@@ -53,8 +53,8 @@ int fAll = 0, fNoinit = 0, fVersion = 0, fStrip = 0, fReopen =
 char *pcConfig = CONFIGFILE;
 int cMaxMemb = MAXMEMB;
 #if USE_IPV6
-struct addrinfo *bindAddr;
-struct addrinfo *bindBaseAddr;
+struct addrinfo *bindAddr = (struct addrinfo *)0;
+struct addrinfo *bindBaseAddr = (struct addrinfo *)0;
 #else
 in_addr_t bindAddr = INADDR_ANY;
 unsigned short bindPort;
@@ -781,8 +781,10 @@ DestroyDataStructures(void)
 
 #if USE_IPV6
     /* clean up addrinfo stucts */
-    freeaddrinfo(bindAddr);
-    freeaddrinfo(bindBaseAddr);
+    if ((struct addrinfo *)0 != bindAddr)
+	freeaddrinfo(bindAddr);
+    if ((struct addrinfo *)0 != bindBaseAddr)
+	freeaddrinfo(bindBaseAddr);
 #else
     if (myAddrs != (struct in_addr *)0)
 	free(myAddrs);
@@ -1363,7 +1365,7 @@ main(int argc, char **argv)
 		break;
 	    case 'O':
 		/* How often to try opening all down consoles, in minutes */
-		optConf->reinitcheck = atoi(optarg);
+		optConf->reinitcheck = atoi(optarg) * 60;
 		break;
 	    case 'p':
 		if ((optConf->primaryport = StrDup(optarg)) == (char *)0)

conserver/master.c

@@ -690,7 +690,7 @@ Master(void)
     struct sockaddr_in master_port;
 # endif
 # if HAVE_SETSOCKOPT
-    int true = 1;
+    int sock_opt_true = 1;
 # endif
 #else
     struct sockaddr_un master_port;
@@ -750,8 +750,8 @@ Master(void)
 
 # if HAVE_SETSOCKOPT
 	if (setsockopt
-	    (msfd, SOL_SOCKET, SO_REUSEADDR, (char *)&true,
-	     sizeof(true)) < 0)
+	    (msfd, SOL_SOCKET, SO_REUSEADDR, (char *)&sock_opt_true,
+	     sizeof(sock_opt_true)) < 0)
 	    goto fail;
 # endif
 	if (!SetFlags(msfd, O_NONBLOCK, 0))
@@ -821,8 +821,8 @@ Master(void)
     }
 # if HAVE_SETSOCKOPT
     if (setsockopt
-	(msfd, SOL_SOCKET, SO_REUSEADDR, (char *)&true,
-	 sizeof(true)) < 0) {
+	(msfd, SOL_SOCKET, SO_REUSEADDR, (char *)&sock_opt_true,
+	 sizeof(sock_opt_true)) < 0) {
 	Error("Master(): setsockopt(%u,SO_REUSEADDR): %s", msfd,
 	      strerror(errno));
 	return;

conserver/readcfg.c

@@ -4562,6 +4562,7 @@ void
 ConfigItemReinitcheck(char *id)
 {
     char *p;
+    int factor = 0;
 
     CONDDEBUG((1, "ConfigItemReinitcheck(%s) [%s:%d]", id, file, line));
 
@@ -4570,18 +4571,22 @@ ConfigItemReinitcheck(char *id)
 	return;
     }
 
-    for (p = id; *p != '\000'; p++)
-	if (!isdigit((int)(*p)))
+    for (p = id; factor == 0 && *p != '\000'; p++)
+	if (*p == 's' || *p == 'S')
+	    factor = 1;
+	else if (*p == 'm' || *p == 'M')
+	    factor = 60;
+	else if (!isdigit((int)(*p)))
 	    break;
 
-    /* if it wasn't a number */
+    /* if it wasn't a number or a qualifier wasn't at the end */
     if (*p != '\000') {
 	if (isMaster)
 	    Error("invalid reinitcheck value `%s' [%s:%d]", id, file,
 		  line);
 	return;
     }
-    parserConfigTemp->reinitcheck = atoi(id);
+    parserConfigTemp->reinitcheck = atoi(id) * (factor == 0 ? 60 : factor);
 }
 
 void

conserver/readcfg.h

@@ -18,7 +18,7 @@ typedef struct config {
     char *primaryport;
     FLAG redirect;
     FLAG loghostnames;
-    int reinitcheck;
+    int reinitcheck; /* stored in sec, configured in min or sec */
     char *secondaryport;
     char *unifiedlog;
     int initdelay;

console/Makefile.in

@@ -1,6 +1,7 @@
 ### Path settings
 datarootdir = @datarootdir@
 srcdir = @srcdir@
+VPATH = @srcdir@
 top_srcdir = @top_srcdir@
 prefix = @prefix@
 exec_prefix = @exec_prefix@

console/console.c

@@ -167,11 +167,12 @@ AttemptSSL(CONSFILE *pcf)
 #endif
 
 #if HAVE_GSSAPI
+#define MAX_GSSAPI_TOKSIZE 64*1024
 gss_name_t gss_server_name = GSS_C_NO_NAME;
 gss_ctx_id_t secctx = GSS_C_NO_CONTEXT;
 gss_buffer_desc mytok = GSS_C_EMPTY_BUFFER;
 
-int
+size_t
 CanGetGSSContext(const char *servername)
 {
     char namestr[128];
@@ -208,18 +209,22 @@ CanGetGSSContext(const char *servername)
 }
 
 int
-AttemptGSSAPI(CONSFILE *pcf)
+AttemptGSSAPI(CONSFILE *pcf, size_t toksize)
 {
     OM_uint32 stmaj, stmin;
     gss_buffer_desc servertok;
-    char buf[1024];
+    char *buf = NULL;
     int nr;
     int ret;
 
+    buf = malloc(toksize);
+    if (buf == NULL) {
+	return -1;
+    }
     FileSetQuoteIAC(pcf, FLAGFALSE);
     FileWrite(pcf, FLAGFALSE, mytok.value, mytok.length);
     FileSetQuoteIAC(pcf, FLAGTRUE);
-    nr = FileRead(pcf, buf, sizeof(buf));
+    nr = FileRead(pcf, buf, toksize);
     servertok.length = nr;
     servertok.value = buf;
 
@@ -233,6 +238,7 @@ AttemptGSSAPI(CONSFILE *pcf)
 
     ret = (stmaj == GSS_S_COMPLETE);
     gss_release_name(&stmin, &gss_server_name);
+    free(buf);
     return ret;
 }
 #endif
@@ -1586,7 +1592,7 @@ DoCmds(char *master, char *pports, int cmdi)
     char *pcopy;
     char *serverName;
 #if HAVE_GSSAPI
-    int toksize;
+    size_t toksize;
 #endif
 
     if ((pcopy = ports = StrDup(pports)) == (char *)0)
@@ -1671,10 +1677,16 @@ DoCmds(char *master, char *pports, int cmdi)
 #endif
 #if HAVE_GSSAPI
 	if ((toksize = CanGetGSSContext(server)) > 0) {
+	    if (toksize > MAX_GSSAPI_TOKSIZE) {
+		Error("Maximum support GSSAPI token size is %lu, "
+		      "GSSAPI context creation reported %lu. "
+		      "Server will reject authentication.",
+		      MAX_GSSAPI_TOKSIZE, toksize);
+	    }
 	    FilePrint(pcf, FLAGFALSE, "gssapi %d\r\n", toksize);
 	    t = ReadReply(pcf, FLAGFALSE);
 	    if (strcmp(t, "ok\r\n") == 0) {
-		if (AttemptGSSAPI(pcf)) {
+		if (AttemptGSSAPI(pcf, toksize)) {
 		    goto gssapi_logged_me_in;
 		}
 	    }

test/test1.cf

@@ -7,6 +7,9 @@ default * {
 	timestamp "";
 	include full;
 }
+config * {
+	reinitcheck 1s;
+}
 break 5 {
 	string "\rtest\r";
 }