From e0c9a32e9133e1ddc95f4f84a9989d8146d27664 Mon Sep 17 00:00:00 2001 From: desbma-s1n <62935004+desbma-s1n@users.noreply.github.com> Date: Thu, 2 Apr 2020 11:16:45 +0000 Subject: [PATCH] Fix auth digest refcount integer overflow (#585) This fixes a possible overflow of the nonce reference counter in the digest authentication scheme, found by security researchers @synacktiv. It changes `references` to be an 64 bits unsigned integer. This makes overflowing the counter impossible in practice. --- src/auth/digest/Config.cc | 16 +--------------- src/auth/digest/Config.h | 2 +- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc index 815afbe901..8ae4603935 100644 --- a/src/auth/digest/Config.cc +++ b/src/auth/digest/Config.cc @@ -96,9 +96,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce); static void authenticateDigestNonceSetup(void); static void authDigestNonceEncode(digest_nonce_h * nonce); static void authDigestNonceLink(digest_nonce_h * nonce); -#if NOT_USED -static int authDigestNonceLinks(digest_nonce_h * nonce); -#endif static void authDigestNonceUserUnlink(digest_nonce_h * nonce); static void @@ -291,21 +288,10 @@ authDigestNonceLink(digest_nonce_h * nonce) { assert(nonce != NULL); ++nonce->references; + assert(nonce->references != 0); // no overflows debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'."); } -#if NOT_USED -static int -authDigestNonceLinks(digest_nonce_h * nonce) -{ - if (!nonce) - return -1; - - return nonce->references; -} - -#endif - void authDigestNonceUnlink(digest_nonce_h * nonce) { diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h index 505d756bb1..0555647128 100644 --- a/src/auth/digest/Config.h +++ b/src/auth/digest/Config.h @@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link { /* number of uses we've seen of this nonce */ unsigned long nc; /* reference count */ - short references; + uint64_t references; /* the auth_user this nonce has been tied to */ Auth::Digest::User *user; /* has this nonce been invalidated ? */ -- 2.47.2