ITS#2869 fix decode length checks again

diff --git a/include/lutil.h b/include/lutil.h
index 8087647459d2fed26ea373ee44b446834a468e36..3c824aa976c91a4df621c06ef1d9cb34b11fb7cc 100644 (file)
--- a/include/lutil.h
+++ b/include/lutil.h
@@ -29,7 +29,7 @@ LDAP_BEGIN_DECL
 /* Avoid floating point math through extra padding */
 
 #define LUTIL_BASE64_ENCODE_LEN(n)     (((n)+2)/3 * 4)
-#define LUTIL_BASE64_DECODE_LEN(n)     (((n)+3)/4 * 3)
+#define LUTIL_BASE64_DECODE_LEN(n)     ((n)/4*3)
 
 /* ISC Base64 Routines */
 /* base64.c */

diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c
index 6989d0d9d2b12313474d2040f265bbcb08db4155..c1bfa79e9bf5b4d2705594a9731cd61f08efed81 100644 (file)
--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@@ -101,6 +101,8 @@ struct pw_slist {
 
 /* password check routines */
 
+#define        SALT_SIZE       4
+
 static LUTIL_PASSWD_CHK_FUNC chk_md5;
 static LUTIL_PASSWD_CHK_FUNC chk_smd5;
 static LUTIL_PASSWD_HASH_FUNC hash_smd5;
@@ -483,7 +485,8 @@ static int chk_ssha1(
        unsigned char *orig_pass = NULL;
 
        /* safety check */
-       if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHA1digest)) {
+       if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <
+               sizeof(SHA1digest)+SALT_SIZE) {
                return -1;
        }
 
@@ -495,7 +498,7 @@ static int chk_ssha1(
 
        rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
 
-       if (rc < 0 || (unsigned)rc <= sizeof(SHA1digest)) {
+       if (rc < (int)(sizeof(SHA1digest)+SALT_SIZE)) {
                ber_memfree(orig_pass);
                return -1;
        }
@@ -526,6 +529,11 @@ static int chk_sha1(
        int rc;
        unsigned char *orig_pass = NULL;
  
+       /* safety check */
+       if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHA1digest)) {
+               return -1;
+       }
+
        /* base64 un-encode password */
        orig_pass = (unsigned char *) ber_memalloc( (size_t) (
                LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
@@ -564,7 +572,8 @@ static int chk_smd5(
        unsigned char *orig_pass = NULL;
 
        /* safety check */
-       if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) {
+       if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <
+               sizeof(MD5digest)+SALT_SIZE) {
                return -1;
        }
 
@@ -576,7 +585,7 @@ static int chk_smd5(
 
        rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
 
-       if (rc < 0 || (unsigned)rc <= sizeof(MD5digest)) {
+       if (rc < (int)(sizeof(MD5digest)+SALT_SIZE)) {
                ber_memfree(orig_pass);
                return -1;
        }
@@ -608,6 +617,11 @@ static int chk_md5(
        int rc;
        unsigned char *orig_pass = NULL;
 
+       /* safety check */
+       if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(MD5digest)) {
+               return -1;
+       }
+
        /* base64 un-encode password */
        orig_pass = (unsigned char *) ber_memalloc( (size_t) (
                LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
@@ -1173,7 +1187,7 @@ static struct berval *hash_ssha1(
 {
        lutil_SHA1_CTX  SHA1context;
        unsigned char   SHA1digest[LUTIL_SHA1_BYTES];
-       char            saltdata[4];
+       char            saltdata[SALT_SIZE];
        struct berval digest;
        struct berval salt;
 
@@ -1223,7 +1237,7 @@ static struct berval *hash_smd5(
 {
        lutil_MD5_CTX   MD5context;
        unsigned char   MD5digest[LUTIL_MD5_BYTES];
-       char            saltdata[4];
+       char            saltdata[SALT_SIZE];
        struct berval digest;
        struct berval salt;