freecwmp
[Top] [All Lists]

[PATCH] fix authentication check for connection requests

To: freecwmp@linux-mips.org
Subject: [PATCH] fix authentication check for connection requests
From: Jonas Gorski <jonas.gorski@gmail.com>
Date: Mon, 18 Jun 2012 16:46:18 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:x-mailer; bh=WgIfjoYSznwjFGAcJMNMJpNGavbJX1SZshR6/WKFt+Y=; b=Zb3YZn9Pz4XNDUqgmTJEH0JkPGxEDMni8EPs++aBaIZf2IpQLKHYu2OZcwLbaKyNGQ A0yYxRG4s8W+XQwI3RFjkP5dtpDQrGGT7/21GeY0CEAs+sxi12tkr4DjQJrR1H/evRUu suErjmkpiAghIBZ4l4GqPIOUq/+jMQ/QkV5gm++QSn/7S9K3R4nASvx15Qusfwuq9B91 WbmAVtUY6uf8QmCNZA/DYJOlffZGlu8R28Ed2tdDCNMk0O0mLbgfbI/MGmNAf8fVtYsL UUTjU17o3xKijcqcKFnGQwmQKhn2fa8u4kLR23OE+66BM+ktNzEVAzXFATzwrAlQAfX8 IWCQ==
Original-recipient: rfc822;freecwmp@linux-mips.org
Sender: freecwmp-bounce@linux-mips.org
zstream_b64decode does not return a null terminated buffer, but the
code assumes that it is. This results in buffer overflows until the
next null byte is encountered in the length calculation, with
possible false rejections.

Since zstream_b64decode puts the size of the buffer into size, we
can directly use that instead of calculating the string length.

Contributed by T-Labs, Deutsche Telekom Innovation Laboratories

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
---
 src/http/http.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/http/http.c b/src/http/http.c
index fea870a..19d9faf 100644
--- a/src/http/http.c
+++ b/src/http/http.c
@@ -454,8 +454,8 @@ http_new_client(struct uloop_fd *ufd, unsigned events)
                                        }
                                        snprintf(auth_basic_check, (len + 1), 
"%s:%s\0", username, password);
 
-                                       if (strlen(acs_auth_basic) == 
strlen(auth_basic_check)) {
-                                               len = strlen(acs_auth_basic);
+                                       if (size == strlen(auth_basic_check)) {
+                                               len = size;
                                        } else {
                                                auth_status = 0;
                                                goto free_resources;
-- 
1.7.10


<Prev in Thread] Current Thread [Next in Thread>
  • [PATCH] fix authentication check for connection requests, Jonas Gorski <=