From 03b35cc621a6f05137f514dab9165c0b0c507aa1 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 20 Jan 2003 23:46:35 +0000 Subject: [PATCH] ITS#2159: don't crash on malformed userPassword --- libraries/liblutil/passwd.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index c54da9ba54..144dd1afe5 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -486,7 +486,12 @@ static int chk_ssha1( unsigned char SHA1digest[LUTIL_SHA1_BYTES]; int rc; unsigned char *orig_pass = NULL; - + + /* safety check */ + if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHA1digest)) { + return -1; + } + /* decode base64 password */ orig_pass = (unsigned char *) ber_memalloc( (size_t) ( LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); @@ -495,7 +500,7 @@ static int chk_ssha1( rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); - if(rc < 0) { + if (rc <= sizeof(SHA1digest)) { ber_memfree(orig_pass); return -1; } @@ -561,6 +566,11 @@ static int chk_smd5( int rc; unsigned char *orig_pass = NULL; + /* safety check */ + if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) { + return -1; + } + /* base64 un-encode password */ orig_pass = (unsigned char *) ber_memalloc( (size_t) ( LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); @@ -568,7 +578,8 @@ static int chk_smd5( if( orig_pass == NULL ) return -1; rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); - if ( rc < 0 ) { + + if (rc <= sizeof(MD5digest)) { ber_memfree(orig_pass); return -1; } -- 2.39.5