Fix auth digest refcount integer overflow (#585)

This fixes a possible overflow of the nonce reference counter in the
digest authentication scheme, found by security researchers
@synacktiv.

It changes `references` to be an 64 bits unsigned integer. This makes
overflowing the counter impossible in practice.

diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
index ff51c2e3e4b6561f2ef81205c6336279b7876491..92b2205a5af100bf3409b4a71d17a19d448f16b2 100644 (file)
--- a/src/auth/digest/Config.cc
+++ b/src/auth/digest/Config.cc
@@ -96,9 +96,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
 static void authenticateDigestNonceSetup(void);
 static void authDigestNonceEncode(digest_nonce_h * nonce);
 static void authDigestNonceLink(digest_nonce_h * nonce);
-#if NOT_USED
-static int authDigestNonceLinks(digest_nonce_h * nonce);
-#endif
 static void authDigestNonceUserUnlink(digest_nonce_h * nonce);
 
 static void
@@ -291,21 +288,10 @@ authDigestNonceLink(digest_nonce_h * nonce)
 {
     assert(nonce != NULL);
     ++nonce->references;
+    assert(nonce->references != 0); // no overflows
     debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
 }
 
-#if NOT_USED
-static int
-authDigestNonceLinks(digest_nonce_h * nonce)
-{
-    if (!nonce)
-        return -1;
-
-    return nonce->references;
-}
-
-#endif
-
 void
 authDigestNonceUnlink(digest_nonce_h * nonce)
 {

diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h
index 505d756bb17460a17181ea9d0ae661f81ae4d8ea..055564712817db794c5522f1713a07c94e9e7fc2 100644 (file)
--- a/src/auth/digest/Config.h
+++ b/src/auth/digest/Config.h
@@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link {
     /* number of uses we've seen of this nonce */
     unsigned long nc;
     /* reference count */
-    short references;
+    uint64_t references;
     /* the auth_user this nonce has been tied to */
     Auth::Digest::User *user;
     /* has this nonce been invalidated ? */