From: desbma-s1n <62935004+desbma-s1n@users.noreply.github.com>
Date: Thu, 2 Apr 2020 11:16:45 +0000 (+0000)
Subject: Fix auth digest refcount integer overflow (#585)
X-Git-Tag: SQUID_5_0_2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e0c9a32e9133e1ddc95f4f84a9989d8146d27664;p=thirdparty%2Fsquid.git

Fix auth digest refcount integer overflow (#585)

This fixes a possible overflow of the nonce reference counter in the
digest authentication scheme, found by security researchers
@synacktiv.

It changes `references` to be an 64 bits unsigned integer. This makes
overflowing the counter impossible in practice.
---

diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
index 815afbe901..8ae4603935 100644
--- a/src/auth/digest/Config.cc
+++ b/src/auth/digest/Config.cc
@@ -96,9 +96,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
 static void authenticateDigestNonceSetup(void);
 static void authDigestNonceEncode(digest_nonce_h * nonce);
 static void authDigestNonceLink(digest_nonce_h * nonce);
-#if NOT_USED
-static int authDigestNonceLinks(digest_nonce_h * nonce);
-#endif
 static void authDigestNonceUserUnlink(digest_nonce_h * nonce);
 
 static void
@@ -291,21 +288,10 @@ authDigestNonceLink(digest_nonce_h * nonce)
 {
     assert(nonce != NULL);
     ++nonce->references;
+    assert(nonce->references != 0); // no overflows
     debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
 }
 
-#if NOT_USED
-static int
-authDigestNonceLinks(digest_nonce_h * nonce)
-{
-    if (!nonce)
-        return -1;
-
-    return nonce->references;
-}
-
-#endif
-
 void
 authDigestNonceUnlink(digest_nonce_h * nonce)
 {
diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h
index 505d756bb1..0555647128 100644
--- a/src/auth/digest/Config.h
+++ b/src/auth/digest/Config.h
@@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link {
     /* number of uses we've seen of this nonce */
     unsigned long nc;
     /* reference count */
-    short references;
+    uint64_t references;
     /* the auth_user this nonce has been tied to */
     Auth::Digest::User *user;
     /* has this nonce been invalidated ? */