From 6b13b73d31fb73c449d81bb728c7e2d136c65865 Mon Sep 17 00:00:00 2001
From: Craig Gowing <craiggowing@gmail.com>
Date: Wed, 30 Sep 2020 16:46:39 +0000
Subject: [PATCH] Bug 5076: WCCP Security Info incorrect (#725)

When generating and validating WCCP2 Security Info use only an
8 byte password.
---
 src/wccp2.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/wccp2.cc b/src/wccp2.cc
index 61e31f9220..cfa885ce6d 100644
--- a/src/wccp2.cc
+++ b/src/wccp2.cc
@@ -584,7 +584,9 @@ wccp2_update_md5_security(char *password, char *ptr, char *packet, int len)
 
     SquidMD5Init(&M);
 
-    SquidMD5Update(&M, pwd, sizeof(pwd));
+    static_assert(sizeof(pwd) - 1 == 8, "WCCP2 password has exactly 8 (padded) octets, excluding storage-terminating NUL");
+
+    SquidMD5Update(&M, pwd, sizeof(pwd) - 1);
 
     SquidMD5Update(&M, packet, len);
 
@@ -638,7 +640,9 @@ wccp2_check_security(struct wccp2_service_list_t *srv, char *security, char *pac
 
     SquidMD5Init(&M);
 
-    SquidMD5Update(&M, pwd, sizeof(pwd));
+    static_assert(sizeof(pwd) - 1 == 8, "WCCP2 password has exactly 8 (padded) octets, excluding storage-terminating NUL");
+
+    SquidMD5Update(&M, pwd, sizeof(pwd) - 1);
 
     SquidMD5Update(&M, packet, len);
 
-- 
2.47.2