40 lines
1.6 KiB
Diff
40 lines
1.6 KiB
Diff
From dc0e10bec3334053c1a5297e50dd7052ea18aef0 Mon Sep 17 00:00:00 2001
|
|
From: Alex Bason <nonsleepr@gmail.com>
|
|
Date: Sun, 15 Oct 2023 13:04:47 +0000
|
|
Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization
|
|
(#1517)
|
|
|
|
The bug was discovered and detailed by Joshua Rogers at
|
|
https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
|
|
where it was filed as "Stack Buffer Overflow in Digest Authentication".
|
|
---
|
|
src/auth/digest/Config.cc | 10 +++++++---
|
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
|
|
index f00e2ba68..3c070d242 100644
|
|
--- a/src/auth/digest/Config.cc
|
|
+++ b/src/auth/digest/Config.cc
|
|
@@ -827,11 +827,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request,
|
|
break;
|
|
|
|
case DIGEST_NC:
|
|
- if (value.size() != 8) {
|
|
+ if (value.size() == 8) {
|
|
+ // for historical reasons, the nc value MUST be exactly 8 bytes
|
|
+ static_assert(sizeof(digest_request->nc) == 8 + 1);
|
|
+ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
|
|
+ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
|
|
+ } else {
|
|
debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
|
|
+ digest_request->nc[0] = 0;
|
|
}
|
|
- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
|
|
- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
|
|
break;
|
|
|
|
case DIGEST_CNONCE:
|
|
--
|
|
2.25.1
|
|
|