diff options
| author | David Sommerseth <dazo@users.sourceforge.net> | 2009-10-02 23:12:45 +0200 |
|---|---|---|
| committer | David Sommerseth <dazo@users.sourceforge.net> | 2009-10-02 23:12:45 +0200 |
| commit | 80b41e27b7361633bee17c64bbb95490dc94ab9f (patch) | |
| tree | fb270c8adc591609b226355c2674eda4c0cb0167 /plugin | |
| parent | f1aa65b94686c555151a6d18c06ae533f58c380e (diff) | |
| download | eurephia-80b41e27b7361633bee17c64bbb95490dc94ab9f.tar.gz eurephia-80b41e27b7361633bee17c64bbb95490dc94ab9f.tar.xz eurephia-80b41e27b7361633bee17c64bbb95490dc94ab9f.zip | |
Fixed possible integer overflow issue
The eDBopen_session_seed() function was prune to an integer overflow issue, if
the input data (some which comes from clients) exeeds the size_t max value which
calloc() uses (via malloc_nullsafe()). The totlen variable was in addition defined
as int and the totlen value was multiplied by 2.
The fix was to use the maximum values used when calling get_env(). These values the
maximum can then be added together to retrieve the maximum length of the seeddata string.
This should also make the execution go slightly quicker as strlen_nullsafe() is no
longer called for each of the input variables. In addition, there are no reasons to
multiply the totlen value by two as it did.
Credit goes to Larry Highsmith for noticing this potential problem.
Diffstat (limited to 'plugin')
| -rw-r--r-- | plugin/eurephiadb_session.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/plugin/eurephiadb_session.c b/plugin/eurephiadb_session.c index c0a6878..5cadb9c 100644 --- a/plugin/eurephiadb_session.c +++ b/plugin/eurephiadb_session.c @@ -79,7 +79,7 @@ eurephiaSESSION *eDBopen_session_seed(eurephiaCTX *ctx, const char *digest, char *seeddata = NULL, *seed = NULL, *ptr = NULL; SHA512Context sha; uint8_t sha_res[SHA512_HASH_SIZE]; - int totlen = 0, i = 0; + size_t totlen = 0, i = 0; DEBUG(ctx, 12, "Function call: eDBopen_session_seed(ctx, '%s', '%s', '%s', '%s', '%s', '%s', '%s')", digest, cname, username, vpnipaddr, vpnipmask, remipaddr, remport); @@ -93,17 +93,17 @@ eurephiaSESSION *eDBopen_session_seed(eurephiaCTX *ctx, const char *digest, new_session->type = ((vpnipaddr == NULL) && (vpnipmask == NULL) ? stAUTHENTICATION : stSESSION); // Build up a string containing all elements for the session seed - totlen = strlen_nullsafe(digest) + strlen_nullsafe(cname) + strlen_nullsafe(username) - + strlen_nullsafe(vpnipaddr) + strlen_nullsafe(vpnipmask) + strlen_nullsafe(remipaddr) - + strlen_nullsafe(remport) + 20; // +5 == len(pid) + 15 extra buffer if some strings are (null) + totlen = 60 + 64 + 34 + 34 + 34 + 34 + 6 + 5 + 15; + // max length of: digest + cname + username + vpnipaddr + vpnipmask + remipaddr + remport + pid + // + extra buffer - seeddata = (char *) malloc_nullsafe(ctx, (totlen * 2) + 4); + seeddata = (char *) malloc_nullsafe(ctx, totlen); if( seeddata == NULL ) { free_nullsafe(ctx, new_session); return NULL; } - snprintf((char *)seeddata, totlen, - "%s%s%s%s%s%s%s%i", digest, cname, username, vpnipaddr, vpnipmask, remipaddr, remport,getpid()); + snprintf((char *)seeddata, totlen, "%s%s%s%s%s%s%s%i", + digest, cname, username, vpnipaddr, vpnipmask, remipaddr, remport, getpid()); // Generate a SHA512 version of session seed memset(&sha, 0, sizeof(SHA512Context)); |