From: Kurt Zeilenga <kurt@openldap.org>
Date: Mon, 20 Jan 2003 23:46:35 +0000 (+0000)
Subject: ITS#2159: don't crash on malformed userPassword
X-Git-Tag: NO_SLAP_OP_BLOCKS~578
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=03b35cc621a6f05137f514dab9165c0b0c507aa1;p=openldap

ITS#2159: don't crash on malformed userPassword
---

diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c
index c54da9ba54..144dd1afe5 100644
--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@@ -486,7 +486,12 @@ static int chk_ssha1(
 	unsigned char SHA1digest[LUTIL_SHA1_BYTES];
 	int rc;
 	unsigned char *orig_pass = NULL;
- 
+
+	/* safety check */
+	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHA1digest)) {
+		return -1;
+	}
+
 	/* decode base64 password */
 	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
 		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
@@ -495,7 +500,7 @@ static int chk_ssha1(
 
 	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
 
-	if(rc < 0) {
+	if (rc <= sizeof(SHA1digest)) {
 		ber_memfree(orig_pass);
 		return -1;
 	}
@@ -561,6 +566,11 @@ static int chk_smd5(
 	int rc;
 	unsigned char *orig_pass = NULL;
 
+	/* safety check */
+	if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) {
+		return -1;
+	}
+
 	/* base64 un-encode password */
 	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
 		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
@@ -568,7 +578,8 @@ static int chk_smd5(
 	if( orig_pass == NULL ) return -1;
 
 	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
-	if ( rc < 0 ) {
+
+	if (rc <= sizeof(MD5digest)) {
 		ber_memfree(orig_pass);
 		return -1;
 	}