rpms / freeradius

Clone
Source Code
GIT

Blame SOURCES/freeradius-FR-GV-201-check-input-output-length-in-make_secret.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-3.0 c8-stream-3.0 c8s-stream-3.0 c9 c9-beta
  1.   16502de838c9253d210f47fc524e02c748333684
  2.   SOURCES
  3.   freeradius-FR-GV-201-check-input-output-length-in-make_secret.patch
Blob History Raw
16502d 
From 8af41abbd3c0b078425963d88494cfa4e22627e5 Mon Sep 17 00:00:00 2001
16502d 
From: "Alan T. DeKok" <aland@freeradius.org>
16502d 
Date: Tue, 4 Jul 2017 10:12:09 -0400
16502d 
Subject: [PATCH] FR-GV-201 - check input / output length in make_secret()
16502d
16502d 
---
16502d 
 src/lib/radius.c | 17 +++++++++++------
16502d 
 1 file changed, 11 insertions(+), 6 deletions(-)
16502d
16502d 
diff --git a/src/lib/radius.c b/src/lib/radius.c
16502d 
index b9f0f59c9..62ec11c7a 100644
16502d 
--- a/src/lib/radius.c
16502d 
+++ b/src/lib/radius.c
16502d 
@@ -542,17 +542,17 @@ static ssize_t rad_recvfrom(int sockfd, RADIUS_PACKET *packet, int flags,
16502d 
  * encrypting passwords to RADIUS.
16502d 
  */
16502d 
 static void make_secret(uint8_t *digest, uint8_t const *vector,
16502d 
-			char const *secret, uint8_t const *value)
16502d 
+			char const *secret, uint8_t const *value, size_t length)
16502d 
 {
16502d 
 	FR_MD5_CTX context;
16502d 
-	int	     i;
16502d 
+	size_t	     i;
16502d
16502d 
 	fr_md5_init(&context);
16502d 
 	fr_md5_update(&context, vector, AUTH_VECTOR_LEN);
16502d 
 	fr_md5_update(&context, (uint8_t const *) secret, strlen(secret));
16502d 
 	fr_md5_final(digest, &context);
16502d
16502d 
-	for ( i = 0; i < AUTH_VECTOR_LEN; i++ ) {
16502d 
+	for ( i = 0; i < length; i++ ) {
16502d 
 		digest[i] ^= value[i];
16502d 
 	}
16502d 
 }
16502d 
@@ -1010,8 +1010,8 @@ static ssize_t vp2data_any(RADIUS_PACKET const *packet,
16502d 
 		 *	always fits.
16502d 
 		 */
16502d 
 	case FLAG_ENCRYPT_ASCEND_SECRET:
16502d 
-		if (len != 16) return 0;
16502d 
-		make_secret(ptr, packet->vector, secret, data);
16502d 
+		if (len > AUTH_VECTOR_LEN) len = AUTH_VECTOR_LEN;
16502d 
+		make_secret(ptr, packet->vector, secret, data, len);
16502d 
 		len = AUTH_VECTOR_LEN;
16502d 
 		break;
16502d
16502d 
@@ -3769,9 +3769,14 @@ ssize_t data2vp(TALLOC_CTX *ctx,
16502d 
 				goto raw;
16502d 
 			} else {
16502d 
 				uint8_t my_digest[AUTH_VECTOR_LEN];
16502d 
+				size_t secret_len;
16502d 
+
16502d 
+				secret_len = datalen;
16502d 
+				if (secret_len > AUTH_VECTOR_LEN) secret_len = AUTH_VECTOR_LEN;
16502d 
+
16502d 
 				make_secret(my_digest,
16502d 
 					    original->vector,
16502d 
-					    secret, data);
16502d 
+					    secret, data, secret_len);
16502d 
 				memcpy(buffer, my_digest,
16502d 
 				       AUTH_VECTOR_LEN );
16502d 
 				buffer[AUTH_VECTOR_LEN] = '\0';
16502d 
--
16502d 
2.13.2
16502d

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation