From 80b41e27b7361633bee17c64bbb95490dc94ab9f Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Fri, 2 Oct 2009 23:12:45 +0200 Subject: Fixed possible integer overflow issue The eDBopen_session_seed() function was prune to an integer overflow issue, if the input data (some which comes from clients) exeeds the size_t max value which calloc() uses (via malloc_nullsafe()). The totlen variable was in addition defined as int and the totlen value was multiplied by 2. The fix was to use the maximum values used when calling get_env(). These values the maximum can then be added together to retrieve the maximum length of the seeddata string. This should also make the execution go slightly quicker as strlen_nullsafe() is no longer called for each of the input variables. In addition, there are no reasons to multiply the totlen value by two as it did. Credit goes to Larry Highsmith for noticing this potential problem. --- plugin/eurephiadb_session.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'plugin') diff --git a/plugin/eurephiadb_session.c b/plugin/eurephiadb_session.c index c0a6878..5cadb9c 100644 --- a/plugin/eurephiadb_session.c +++ b/plugin/eurephiadb_session.c @@ -79,7 +79,7 @@ eurephiaSESSION *eDBopen_session_seed(eurephiaCTX *ctx, const char *digest, char *seeddata = NULL, *seed = NULL, *ptr = NULL; SHA512Context sha; uint8_t sha_res[SHA512_HASH_SIZE]; - int totlen = 0, i = 0; + size_t totlen = 0, i = 0; DEBUG(ctx, 12, "Function call: eDBopen_session_seed(ctx, '%s', '%s', '%s', '%s', '%s', '%s', '%s')", digest, cname, username, vpnipaddr, vpnipmask, remipaddr, remport); @@ -93,17 +93,17 @@ eurephiaSESSION *eDBopen_session_seed(eurephiaCTX *ctx, const char *digest, new_session->type = ((vpnipaddr == NULL) && (vpnipmask == NULL) ? stAUTHENTICATION : stSESSION); // Build up a string containing all elements for the session seed - totlen = strlen_nullsafe(digest) + strlen_nullsafe(cname) + strlen_nullsafe(username) - + strlen_nullsafe(vpnipaddr) + strlen_nullsafe(vpnipmask) + strlen_nullsafe(remipaddr) - + strlen_nullsafe(remport) + 20; // +5 == len(pid) + 15 extra buffer if some strings are (null) + totlen = 60 + 64 + 34 + 34 + 34 + 34 + 6 + 5 + 15; + // max length of: digest + cname + username + vpnipaddr + vpnipmask + remipaddr + remport + pid + // + extra buffer - seeddata = (char *) malloc_nullsafe(ctx, (totlen * 2) + 4); + seeddata = (char *) malloc_nullsafe(ctx, totlen); if( seeddata == NULL ) { free_nullsafe(ctx, new_session); return NULL; } - snprintf((char *)seeddata, totlen, - "%s%s%s%s%s%s%s%i", digest, cname, username, vpnipaddr, vpnipmask, remipaddr, remport,getpid()); + snprintf((char *)seeddata, totlen, "%s%s%s%s%s%s%s%i", + digest, cname, username, vpnipaddr, vpnipmask, remipaddr, remport, getpid()); // Generate a SHA512 version of session seed memset(&sha, 0, sizeof(SHA512Context)); -- cgit