Mercurial > dovecot > original-hg > dovecot-1.2

changeset 9324:5d53b1d66d1b HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: Check for potentially dangerous NULs in usernames.
author Timo Sirainen <tss@iki.fi>
date Fri, 14 Aug 2009 02:54:41 -0400
parents 93e2b0519e65
children 4c42e72a3954
files src/auth/mech-cram-md5.c src/auth/mech-digest-md5.c src/auth/mech-gssapi.c
diffstat 3 files changed, 29 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/auth/mech-cram-md5.c	Fri Aug 14 02:54:02 2009 -0400
+++ b/src/auth/mech-cram-md5.c	Fri Aug 14 02:54:41 2009 -0400
@@ -85,6 +85,10 @@
 	/* <username> SPACE <response>. Username may contain spaces, so assume
 	   the rightmost space is the response separator. */
 	for (i = space = 0; i < size; i++) {
+		if (data[i] == '\0') {
+			*error_r = "NULs in response";
+			return FALSE;
+		}
 		if (data[i] == ' ')
 			space = i;
 	}
--- a/src/auth/mech-digest-md5.c	Fri Aug 14 02:54:02 2009 -0400
+++ b/src/auth/mech-digest-md5.c	Fri Aug 14 02:54:41 2009 -0400
@@ -477,6 +477,8 @@
 		return FALSE;
 	}
 
+	/* treating response as NUL-terminated string also gets rid of all
+	   potential problems with NUL characters in strings. */
 	copy = t_strdup_noconst(t_strndup(data, size));
 	while (*copy != '\0') {
 		if (parse_next(&copy, &key, &value)) {
--- a/src/auth/mech-gssapi.c	Fri Aug 14 02:54:02 2009 -0400
+++ b/src/auth/mech-gssapi.c	Fri Aug 14 02:54:41 2009 -0400
@@ -213,6 +213,18 @@
 	return name;
 }
 
+static bool data_has_nuls(const void *data, unsigned int len)
+{
+	const unsigned char *c = data;
+	unsigned int i;
+
+	for (i = 0; i < len; i++) {
+		if (c[i] == '\0')
+			return TRUE;
+	}
+	return FALSE;
+}
+
 static int get_display_name(struct auth_request *auth_request, gss_name_t name,
 			    gss_OID *name_type_r, const char **display_name_r)
 {
@@ -226,6 +238,11 @@
 				      GSS_C_GSS_CODE, "gss_display_name");
 		return -1;
 	}
+	if (data_has_nuls(buf.value, buf.length)) {
+		auth_request_log_info(auth_request, "gssapi",
+				      "authn_name has NULs");
+		return -1;
+	}
 	*display_name_r = t_strndup(buf.value, buf.length);
 	(void)gss_release_buffer(&minor_status, &buf);
 	return 0;
@@ -497,6 +514,12 @@
 	name = (unsigned char *)outbuf.value + 4;
 	name_len = outbuf.length - 4;
 
+	if (data_has_nuls(name, name_len)) {
+		auth_request_log_info(auth_request, "gssapi",
+				      "authz_name has NULs");
+		return -1;
+	}
+
 	login_user = p_strndup(auth_request->pool, name, name_len);
 	request->authz_name = import_name(auth_request, name, name_len);
 	if (request->authz_name == GSS_C_NO_NAME) {