64 lines
2.0 KiB
Diff
64 lines
2.0 KiB
Diff
commit eeebf0f37a72a2de08348e85ae34b02c34e9a811
|
|
Author: desbma-s1n <62935004+desbma-s1n@users.noreply.github.com>
|
|
Date: 2020-04-02 11:16:45 +0000
|
|
|
|
Fix auth digest refcount integer overflow (#585)
|
|
|
|
This fixes a possible overflow of the nonce reference counter in the
|
|
digest authentication scheme, found by security researchers
|
|
@synacktiv.
|
|
|
|
It changes `references` to be an 64 bits unsigned integer. This makes
|
|
overflowing the counter impossible in practice.
|
|
|
|
diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
|
|
index fdef7df..9deb184 100644
|
|
--- a/src/auth/digest/Config.cc
|
|
+++ b/src/auth/digest/Config.cc
|
|
@@ -94,9 +94,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
|
|
static void authenticateDigestNonceSetup(void);
|
|
static void authDigestNonceEncode(digest_nonce_h * nonce);
|
|
static void authDigestNonceLink(digest_nonce_h * nonce);
|
|
-#if NOT_USED
|
|
-static int authDigestNonceLinks(digest_nonce_h * nonce);
|
|
-#endif
|
|
static void authDigestNonceUserUnlink(digest_nonce_h * nonce);
|
|
|
|
static void
|
|
@@ -289,21 +286,10 @@ authDigestNonceLink(digest_nonce_h * nonce)
|
|
{
|
|
assert(nonce != NULL);
|
|
++nonce->references;
|
|
+ assert(nonce->references != 0); // no overflows
|
|
debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
|
|
}
|
|
|
|
-#if NOT_USED
|
|
-static int
|
|
-authDigestNonceLinks(digest_nonce_h * nonce)
|
|
-{
|
|
- if (!nonce)
|
|
- return -1;
|
|
-
|
|
- return nonce->references;
|
|
-}
|
|
-
|
|
-#endif
|
|
-
|
|
void
|
|
authDigestNonceUnlink(digest_nonce_h * nonce)
|
|
{
|
|
diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h
|
|
index 56ccaa9..7fb7673 100644
|
|
--- a/src/auth/digest/Config.h
|
|
+++ b/src/auth/digest/Config.h
|
|
@@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link {
|
|
/* number of uses we've seen of this nonce */
|
|
unsigned long nc;
|
|
/* reference count */
|
|
- short references;
|
|
+ uint64_t references;
|
|
/* the auth_user this nonce has been tied to */
|
|
Auth::Digest::User *user;
|
|
/* has this nonce been invalidated ? */
|