[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7851) [PATCH] buffer overrun in password checkers with malformed hash



ryan@nardis.ca wrote:
> This is a multi-part message in MIME format.
> --------------070104060109070008020807
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 7bit
>
> I checked the new pw-pbkdf2 module. It doesn't appear to be affected by
> this problem.

Thanks, all committed to master.
>
> On 11/05/14 07:56 PM, Ryan Tandy wrote:
>> ftp://ftp.openldap.org/incoming/rtandy_20140511_fix-passwd-b64-buffer_v2.patch
>
> You probably know this, but just in case it helps: "git am --keep-cr" is
> the way to apply that patch, because of apr1.c's line endings.
>
> There's a second bug in slapd-sha2.c, a missing cast causing the return
> value of lutil_b64_pton to be ignored. The built-in checkers already
> have the appropriate cast. Patch attached.
>
> --------------070104060109070008020807
> Content-Type: text/x-patch;
>   name="0002-ITS-7851-contrib-pw-sha2-fix-int-size_t-comparison.patch"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: attachment;
>   filename*0="0002-ITS-7851-contrib-pw-sha2-fix-int-size_t-comparison.patc";
>   filename*1="h"
>
>>From 0683ded766e51e0521991fc1a5d2303cf95cc475 Mon Sep 17 00:00:00 2001
> From: Ryan Tandy <ryan@nardis.ca>
> Date: Thu, 26 Jun 2014 18:33:29 -0700
> Subject: [PATCH 2/2] ITS#7851 contrib pw-sha2 fix int/size_t comparison
>
> ---
>   contrib/slapd-modules/passwd/sha2/slapd-sha2.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/contrib/slapd-modules/passwd/sha2/slapd-sha2.c b/contrib/slapd-modules/passwd/sha2/slapd-sha2.c
> index 1ec7989..2e4fcb0 100644
> --- a/contrib/slapd-modules/passwd/sha2/slapd-sha2.c
> +++ b/contrib/slapd-modules/passwd/sha2/slapd-sha2.c
> @@ -244,7 +244,7 @@ static int chk_ssha256(
>
>   	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
>
> -	if( rc <= sizeof(SHAdigest) ) {
> +	if( rc <= (int)(sizeof(SHAdigest)) ) {
>   		ber_memfree(orig_pass);
>   		return LUTIL_PASSWD_ERR;
>   	}
> @@ -332,7 +332,7 @@ static int chk_ssha384(
>
>   	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
>
> -	if( rc <= sizeof(SHAdigest) ) {
> +	if( rc <= (int)(sizeof(SHAdigest)) ) {
>   		ber_memfree(orig_pass);
>   		return LUTIL_PASSWD_ERR;
>   	}
> @@ -420,7 +420,7 @@ static int chk_ssha512(
>
>   	rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
>
> -	if( rc <= sizeof(SHAdigest) ) {
> +	if( rc <= (int)(sizeof(SHAdigest)) ) {
>   		ber_memfree(orig_pass);
>   		return LUTIL_PASSWD_ERR;
>   	}
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/