Mercurial > dovecot > original-hg > dovecot-1.2
changeset 9324:5d53b1d66d1b HEAD
auth: Check for potentially dangerous NULs in usernames.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Fri, 14 Aug 2009 02:54:41 -0400 |
parents | 93e2b0519e65 |
children | 4c42e72a3954 |
files | src/auth/mech-cram-md5.c src/auth/mech-digest-md5.c src/auth/mech-gssapi.c |
diffstat | 3 files changed, 29 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/mech-cram-md5.c Fri Aug 14 02:54:02 2009 -0400 +++ b/src/auth/mech-cram-md5.c Fri Aug 14 02:54:41 2009 -0400 @@ -85,6 +85,10 @@ /* <username> SPACE <response>. Username may contain spaces, so assume the rightmost space is the response separator. */ for (i = space = 0; i < size; i++) { + if (data[i] == '\0') { + *error_r = "NULs in response"; + return FALSE; + } if (data[i] == ' ') space = i; }
--- a/src/auth/mech-digest-md5.c Fri Aug 14 02:54:02 2009 -0400 +++ b/src/auth/mech-digest-md5.c Fri Aug 14 02:54:41 2009 -0400 @@ -477,6 +477,8 @@ return FALSE; } + /* treating response as NUL-terminated string also gets rid of all + potential problems with NUL characters in strings. */ copy = t_strdup_noconst(t_strndup(data, size)); while (*copy != '\0') { if (parse_next(©, &key, &value)) {
--- a/src/auth/mech-gssapi.c Fri Aug 14 02:54:02 2009 -0400 +++ b/src/auth/mech-gssapi.c Fri Aug 14 02:54:41 2009 -0400 @@ -213,6 +213,18 @@ return name; } +static bool data_has_nuls(const void *data, unsigned int len) +{ + const unsigned char *c = data; + unsigned int i; + + for (i = 0; i < len; i++) { + if (c[i] == '\0') + return TRUE; + } + return FALSE; +} + static int get_display_name(struct auth_request *auth_request, gss_name_t name, gss_OID *name_type_r, const char **display_name_r) { @@ -226,6 +238,11 @@ GSS_C_GSS_CODE, "gss_display_name"); return -1; } + if (data_has_nuls(buf.value, buf.length)) { + auth_request_log_info(auth_request, "gssapi", + "authn_name has NULs"); + return -1; + } *display_name_r = t_strndup(buf.value, buf.length); (void)gss_release_buffer(&minor_status, &buf); return 0; @@ -497,6 +514,12 @@ name = (unsigned char *)outbuf.value + 4; name_len = outbuf.length - 4; + if (data_has_nuls(name, name_len)) { + auth_request_log_info(auth_request, "gssapi", + "authz_name has NULs"); + return -1; + } + login_user = p_strndup(auth_request->pool, name, name_len); request->authz_name = import_name(auth_request, name, name_len); if (request->authz_name == GSS_C_NO_NAME) {