From: Michal Luscon <mluscon@redhat.com>
Date: Thu, 18 Apr 2013 05:30:47 +0000 (-0600)
Subject: Bug 3825: basic_ncsa_auth segfaulting with glibc-2.17
X-Git-Tag: SQUID_3_3_4~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=46b23bfd18b34fc064dc56b7edd0719c1a1c777b;p=thirdparty%2Fsquid.git

Bug 3825: basic_ncsa_auth segfaulting with glibc-2.17

It appears the crypt() function may return NULL strings. Check for those
before all strcmp() operations.

NOTE: The MD5 output checks are probably not needed but since SquidMD5 is
an object build-time switched between several encryption library API
definitions it is better to be safe here as well.
---

diff --git a/helpers/basic_auth/NCSA/basic_ncsa_auth.cc b/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
index 7ce42f8b00..51b89f7e9a 100644
--- a/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
+++ b/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
@@ -144,19 +144,20 @@ main(int argc, char **argv)
         rfc1738_unescape(user);
         rfc1738_unescape(passwd);
         u = (user_data *) hash_lookup(hash, user);
+        char *crypted = NULL;
         if (u == NULL) {
             SEND_ERR("No such user");
 #if HAVE_CRYPT
-        } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+        } else if (strlen(passwd) <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
             // Bug 3107: crypt() DES functionality silently truncates long passwords.
             SEND_OK("");
-        } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+        } else if (strlen(passwd) > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
             // Bug 3107: crypt() DES functionality silently truncates long passwords.
             SEND_ERR("Password too long. Only 8 characters accepted.");
 #endif
-        } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
+        } else if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
             SEND_OK("");
-        } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
+        } else if ( (crypted =  md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) {
             SEND_OK("");
         } else {
             SEND_ERR("Wrong password");