Bug 4936: terminating c-strings beyond BASE64_DECODE_LENGTH (#409)

author Amos Jeffries <yadij@users.noreply.github.com>

Tue, 21 May 2019 05:02:06 +0000 (05:02 +0000)

committer Squid Anubis <squid-anubis@squid-cache.org>

Tue, 21 May 2019 05:41:18 +0000 (05:41 +0000)
author Amos Jeffries <yadij@users.noreply.github.com>
Tue, 21 May 2019 05:02:06 +0000 (05:02 +0000)
committer Squid Anubis <squid-anubis@squid-cache.org>
Tue, 21 May 2019 05:41:18 +0000 (05:41 +0000)
diff --git a/src/auth/negotiate/wrapper/negotiate_wrapper.cc b/src/auth/negotiate/wrapper/negotiate_wrapper.cc

index 38e21f19e38d1d6588fc203f5f7a3321abd2304c..4fac207b543f18902847e7351b05b9ec5572e2c1 100644 (file)
--- a/src/auth/negotiate/wrapper/negotiate_wrapper.cc
+++ b/src/auth/negotiate/wrapper/negotiate_wrapper.cc
@@ -112,7 +112,7 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT)
      char tbuff[MAX_AUTHTOKEN_LEN];
      char buff[MAX_AUTHTOKEN_LEN+2];
      char *c;
-    int length;
+    size_t length;
      uint8_t *token = NULL;
  
      while (1) {
@@ -136,7 +136,7 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT)
              *c = '\0';
              length = c - buf;
              if (debug_enabled)
-                fprintf(stderr, "%s| %s: Got '%s' from squid (length: %d).\n",
+                fprintf(stderr, "%s| %s: Got '%s' from squid (length: %" PRIuSIZE ").\n",
                          LogTime(), PROGRAM, buf, length);
          } else {
              if (debug_enabled)
@@ -181,11 +181,11 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT)
          }
          length = BASE64_DECODE_LENGTH(strlen(buf+3));
          if (debug_enabled)
-            fprintf(stderr, "%s| %s: Decode '%s' (decoded length: %d).\n",
-                    LogTime(), PROGRAM, buf + 3, (int) length);
+            fprintf(stderr, "%s| %s: Decode '%s' (decoded length: %" PRIuSIZE ").\n",
+                    LogTime(), PROGRAM, buf + 3, length);
  
          safe_free(token);
-        if (!(token = static_cast<uint8_t *>(xmalloc(length)))) {
+        if (!(token = static_cast<uint8_t *>(xmalloc(length+1)))) {
              fprintf(stderr, "%s| %s: Error allocating memory for token\n", LogTime(), PROGRAM);
              return 1;
          }
@@ -200,6 +200,7 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT)
              fprintf(stdout, "BH Invalid negotiate request token\n");
              continue;
          }
+        assert(dstLen <= length);
          length = dstLen;
          token[dstLen] = '\0';
author	Amos Jeffries <yadij@users.noreply.github.com>
	Tue, 21 May 2019 05:02:06 +0000 (05:02 +0000)
committer	Squid Anubis <squid-anubis@squid-cache.org>
	Tue, 21 May 2019 05:41:18 +0000 (05:41 +0000)