From 39eb55b5f452a9b238523b90a587bbf25a7bb7cd Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 11 Dec 2003 13:24:06 +0000 Subject: [PATCH] ITS#2869 fix decode length checks again --- include/lutil.h | 2 +- libraries/liblutil/passwd.c | 26 ++++++++++++++++++++------ 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/include/lutil.h b/include/lutil.h index 8087647459..3c824aa976 100644 --- a/include/lutil.h +++ b/include/lutil.h @@ -29,7 +29,7 @@ LDAP_BEGIN_DECL /* Avoid floating point math through extra padding */ #define LUTIL_BASE64_ENCODE_LEN(n) (((n)+2)/3 * 4) -#define LUTIL_BASE64_DECODE_LEN(n) (((n)+3)/4 * 3) +#define LUTIL_BASE64_DECODE_LEN(n) ((n)/4*3) /* ISC Base64 Routines */ /* base64.c */ diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index 6989d0d9d2..c1bfa79e9b 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -101,6 +101,8 @@ struct pw_slist { /* password check routines */ +#define SALT_SIZE 4 + static LUTIL_PASSWD_CHK_FUNC chk_md5; static LUTIL_PASSWD_CHK_FUNC chk_smd5; static LUTIL_PASSWD_HASH_FUNC hash_smd5; @@ -483,7 +485,8 @@ static int chk_ssha1( unsigned char *orig_pass = NULL; /* safety check */ - if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(SHA1digest)) { + if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < + sizeof(SHA1digest)+SALT_SIZE) { return -1; } @@ -495,7 +498,7 @@ static int chk_ssha1( rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); - if (rc < 0 || (unsigned)rc <= sizeof(SHA1digest)) { + if (rc < (int)(sizeof(SHA1digest)+SALT_SIZE)) { ber_memfree(orig_pass); return -1; } @@ -526,6 +529,11 @@ static int chk_sha1( int rc; unsigned char *orig_pass = NULL; + /* safety check */ + if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(SHA1digest)) { + return -1; + } + /* base64 un-encode password */ orig_pass = (unsigned char *) ber_memalloc( (size_t) ( LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); @@ -564,7 +572,8 @@ static int chk_smd5( unsigned char *orig_pass = NULL; /* safety check */ - if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) <= sizeof(MD5digest)) { + if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < + sizeof(MD5digest)+SALT_SIZE) { return -1; } @@ -576,7 +585,7 @@ static int chk_smd5( rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len); - if (rc < 0 || (unsigned)rc <= sizeof(MD5digest)) { + if (rc < (int)(sizeof(MD5digest)+SALT_SIZE)) { ber_memfree(orig_pass); return -1; } @@ -608,6 +617,11 @@ static int chk_md5( int rc; unsigned char *orig_pass = NULL; + /* safety check */ + if (LUTIL_BASE64_DECODE_LEN(passwd->bv_len) < sizeof(MD5digest)) { + return -1; + } + /* base64 un-encode password */ orig_pass = (unsigned char *) ber_memalloc( (size_t) ( LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) ); @@ -1173,7 +1187,7 @@ static struct berval *hash_ssha1( { lutil_SHA1_CTX SHA1context; unsigned char SHA1digest[LUTIL_SHA1_BYTES]; - char saltdata[4]; + char saltdata[SALT_SIZE]; struct berval digest; struct berval salt; @@ -1223,7 +1237,7 @@ static struct berval *hash_smd5( { lutil_MD5_CTX MD5context; unsigned char MD5digest[LUTIL_MD5_BYTES]; - char saltdata[4]; + char saltdata[SALT_SIZE]; struct berval digest; struct berval salt; -- 2.39.5