From: Roy Marples <roy@marples.name>
Date: Sun, 21 Jun 2026 22:00:02 +0000 (+0100)
Subject: auth: Ensure remaining dlen matches hash digest length
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=764bb43aa8ec4786bc61be85fdee9cb6111c79b4;p=thirdparty%2Fdhcpcd.git

auth: Ensure remaining dlen matches hash digest length

It's invalid otherwise.

Reported by NVIDIA Project Vanessa
---

diff --git a/src/auth.c b/src/auth.c
index 33aaa5c8..e02696d0 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -75,7 +75,9 @@
 #endif
 #endif /* ntohll */
 
-#define HMAC_LENGTH 16
+#define MD5_DIGEST_LENGTH 16
+/* Maximum digest length we use - currently just MD5 */
+#define HMAC_DIGEST_LENGTH MD5_DIGEST_LENGTH
 
 static void
 free_token(struct token *t)
@@ -122,7 +124,7 @@ dhcp_auth_validate(struct authstate *state, const struct auth *auth,
 	size_t realm_len;
 	const struct token *t;
 	time_t now;
-	uint8_t hmac_code[HMAC_LENGTH];
+	uint8_t hmac_code[HMAC_DIGEST_LENGTH];
 
 	if (dlen < 3 + sizeof(replay)) {
 		errno = EINVAL;
@@ -336,6 +338,19 @@ gottoken:
 		goto finish;
 	}
 
+	/* dlen should now match hash digest length */
+	switch (algorithm) {
+	case AUTH_ALG_HMAC_MD5:
+		if (dlen != MD5_DIGEST_LENGTH) {
+			errno = EINVAL;
+			return NULL;
+		}
+		break;
+	default:
+		errno = ENOSYS;
+		return NULL;
+	}
+
 	/* Make a duplicate of the message, but zero out the MAC part */
 	mm = malloc(mlen);
 	if (mm == NULL)
@@ -359,8 +374,8 @@ gottoken:
 		    sizeof(hmac_code));
 		break;
 	default:
-		errno = ENOSYS;
 		free(mm);
+		errno = ENOSYS;
 		return NULL;
 	}
 
@@ -522,7 +537,7 @@ dhcp_auth_encode(struct dhcpcd_ctx *ctx, struct auth *auth,
     size_t dlen)
 {
 	uint64_t rdm;
-	uint8_t hmac_code[HMAC_LENGTH];
+	uint8_t hmac_code[HMAC_DIGEST_LENGTH];
 	time_t now;
 	uint8_t hops, *p, *m, *data;
 	uint32_t giaddr, secretid;