From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 2 Oct 2009 08:49:33 +0000 (+1300)
Subject: Author: Henrik Nordstrom <henrik@henriknordstrom.net>
X-Git-Tag: SQUID_3_0_STABLE20~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d927de10bfdbc28fb1fa7276a9f9ab4b5a50271;p=thirdparty%2Fsquid.git

Author: Henrik Nordstrom <henrik@henriknordstrom.net>
Bug 2773: Segfault in RFC2069 Digest authantication

Squid segfaulted if digest authentication is enabled an a client responded
with RFC2069 style response.
---

diff --git a/lib/rfc2617.c b/lib/rfc2617.c
index f653bca91c..a45a2af1de 100644
--- a/lib/rfc2617.c
+++ b/lib/rfc2617.c
@@ -168,7 +168,7 @@ DigestCalcResponse(
     SquidMD5Update(&Md5Ctx, pszMethod, strlen(pszMethod));
     SquidMD5Update(&Md5Ctx, ":", 1);
     SquidMD5Update(&Md5Ctx, pszDigestUri, strlen(pszDigestUri));
-    if (strcasecmp(pszQop, "auth-int") == 0) {
+    if (pszQop && strcasecmp(pszQop, "auth-int") == 0) {
 	SquidMD5Update(&Md5Ctx, ":", 1);
 	SquidMD5Update(&Md5Ctx, HEntity, HASHHEXLEN);
     }
@@ -182,7 +182,7 @@ DigestCalcResponse(
     SquidMD5Update(&Md5Ctx, ":", 1);
     SquidMD5Update(&Md5Ctx, pszNonce, strlen(pszNonce));
     SquidMD5Update(&Md5Ctx, ":", 1);
-    if (*pszQop) {
+    if (pszQop) {
 	SquidMD5Update(&Md5Ctx, pszNonceCount, strlen(pszNonceCount));
 	SquidMD5Update(&Md5Ctx, ":", 1);
 	SquidMD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce));
diff --git a/src/auth/digest/auth_digest.cc b/src/auth/digest/auth_digest.cc
index 80f959d5ec..5854196764 100644
--- a/src/auth/digest/auth_digest.cc
+++ b/src/auth/digest/auth_digest.cc
@@ -1105,6 +1105,7 @@ AuthDigestConfig::decode(char const *proxy_auth)
             /* quote mark */
             p++;
 
+            safe_free(username);
             username = xstrndup(p, strchr(p, '"') + 1 - p);
 
             debugs(29, 9, "authDigestDecodeAuth: Found Username '" << username << "'");
@@ -1117,6 +1118,7 @@ AuthDigestConfig::decode(char const *proxy_auth)
             /* quote mark */
             p++;
 
+            safe_free(digest_request->realm);
             digest_request->realm = xstrndup(p, strchr(p, '"') + 1 - p);
 
             debugs(29, 9, "authDigestDecodeAuth: Found realm '" << digest_request->realm << "'");
@@ -1130,6 +1132,7 @@ AuthDigestConfig::decode(char const *proxy_auth)
                 /* quote mark */
                 p++;
 
+            safe_free(digest_request->qop);
             digest_request->qop = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1);
 
             debugs(29, 9, "authDigestDecodeAuth: Found qop '" << digest_request->qop << "'");
@@ -1143,6 +1146,7 @@ AuthDigestConfig::decode(char const *proxy_auth)
                 /* quote mark */
                 p++;
 
+            safe_free(digest_request->algorithm);
             digest_request->algorithm = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1);
 
             debugs(29, 9, "authDigestDecodeAuth: Found algorithm '" << digest_request->algorithm << "'");
@@ -1155,6 +1159,7 @@ AuthDigestConfig::decode(char const *proxy_auth)
             /* quote mark */
             p++;
 
+            safe_free(digest_request->uri);
             digest_request->uri = xstrndup(p, strchr(p, '"') + 1 - p);
 
             debugs(29, 9, "authDigestDecodeAuth: Found uri '" << digest_request->uri << "'");
@@ -1167,6 +1172,7 @@ AuthDigestConfig::decode(char const *proxy_auth)
             /* quote mark */
             p++;
 
+            safe_free(digest_request->nonceb64);
             digest_request->nonceb64 = xstrndup(p, strchr(p, '"') + 1 - p);
 
             debugs(29, 9, "authDigestDecodeAuth: Found nonce '" << digest_request->nonceb64 << "'");
@@ -1188,6 +1194,7 @@ AuthDigestConfig::decode(char const *proxy_auth)
             /* quote mark */
             p++;
 
+            safe_free(digest_request->cnonce);
             digest_request->cnonce = xstrndup(p, strchr(p, '"') + 1 - p);
 
             debugs(29, 9, "authDigestDecodeAuth: Found cnonce '" << digest_request->cnonce << "'");
@@ -1200,6 +1207,7 @@ AuthDigestConfig::decode(char const *proxy_auth)
             /* quote mark */
             p++;
 
+            safe_free(digest_request->response);
             digest_request->response = xstrndup(p, strchr(p, '"') + 1 - p);
 
             debugs(29, 9, "authDigestDecodeAuth: Found response '" << digest_request->response << "'");