From: Henrik Nordstrom Date: Fri, 25 Sep 2009 01:15:30 +0000 (+0200) Subject: Bug #2773: Segfault in RFC2069 Digest authantication X-Git-Tag: SQUID_3_2_0_1~694 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bbe0ed86ec80726e7a6c3f65c6760ccaaa9478b3;p=thirdparty%2Fsquid.git Bug #2773: Segfault in RFC2069 Digest authantication Squid segfaulted if digest authentication is enabled an a client responded with RFC2069 style response. --- diff --git a/lib/rfc2617.c b/lib/rfc2617.c index 5895421e0a..f7530d6c55 100644 --- a/lib/rfc2617.c +++ b/lib/rfc2617.c @@ -168,7 +168,7 @@ DigestCalcResponse( SquidMD5Update(&Md5Ctx, pszMethod, strlen(pszMethod)); SquidMD5Update(&Md5Ctx, ":", 1); SquidMD5Update(&Md5Ctx, pszDigestUri, strlen(pszDigestUri)); - if (strcasecmp(pszQop, "auth-int") == 0) { + if (pszQop && strcasecmp(pszQop, "auth-int") == 0) { SquidMD5Update(&Md5Ctx, ":", 1); SquidMD5Update(&Md5Ctx, HEntity, HASHHEXLEN); } @@ -182,7 +182,7 @@ DigestCalcResponse( SquidMD5Update(&Md5Ctx, ":", 1); SquidMD5Update(&Md5Ctx, pszNonce, strlen(pszNonce)); SquidMD5Update(&Md5Ctx, ":", 1); - if (*pszQop) { + if (pszQop) { SquidMD5Update(&Md5Ctx, pszNonceCount, strlen(pszNonceCount)); SquidMD5Update(&Md5Ctx, ":", 1); SquidMD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce)); diff --git a/src/auth/digest/auth_digest.cc b/src/auth/digest/auth_digest.cc index 9cdcaa9927..d482cfbae7 100644 --- a/src/auth/digest/auth_digest.cc +++ b/src/auth/digest/auth_digest.cc @@ -1106,6 +1106,7 @@ AuthDigestConfig::decode(char const *proxy_auth) /* quote mark */ p++; + safe_free(username); username = xstrndup(p, strchr(p, '"') + 1 - p); debugs(29, 9, "authDigestDecodeAuth: Found Username '" << username << "'"); @@ -1118,6 +1119,7 @@ AuthDigestConfig::decode(char const *proxy_auth) /* quote mark */ p++; + safe_free(digest_request->realm); digest_request->realm = xstrndup(p, strchr(p, '"') + 1 - p); debugs(29, 9, "authDigestDecodeAuth: Found realm '" << digest_request->realm << "'"); @@ -1131,6 +1133,7 @@ AuthDigestConfig::decode(char const *proxy_auth) /* quote mark */ p++; + safe_free(digest_request->qop); digest_request->qop = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1); debugs(29, 9, "authDigestDecodeAuth: Found qop '" << digest_request->qop << "'"); @@ -1144,6 +1147,7 @@ AuthDigestConfig::decode(char const *proxy_auth) /* quote mark */ p++; + safe_free(digest_request->algorithm); digest_request->algorithm = xstrndup(p, strcspn(p, "\" \t\r\n()<>@,;:\\/[]?={}") + 1); debugs(29, 9, "authDigestDecodeAuth: Found algorithm '" << digest_request->algorithm << "'"); @@ -1156,6 +1160,7 @@ AuthDigestConfig::decode(char const *proxy_auth) /* quote mark */ p++; + safe_free(digest_request->uri); digest_request->uri = xstrndup(p, strchr(p, '"') + 1 - p); debugs(29, 9, "authDigestDecodeAuth: Found uri '" << digest_request->uri << "'"); @@ -1168,6 +1173,7 @@ AuthDigestConfig::decode(char const *proxy_auth) /* quote mark */ p++; + safe_free(digest_request->nonceb64); digest_request->nonceb64 = xstrndup(p, strchr(p, '"') + 1 - p); debugs(29, 9, "authDigestDecodeAuth: Found nonce '" << digest_request->nonceb64 << "'"); @@ -1189,6 +1195,7 @@ AuthDigestConfig::decode(char const *proxy_auth) /* quote mark */ p++; + safe_free(digest_request->cnonce); digest_request->cnonce = xstrndup(p, strchr(p, '"') + 1 - p); debugs(29, 9, "authDigestDecodeAuth: Found cnonce '" << digest_request->cnonce << "'"); @@ -1201,6 +1208,7 @@ AuthDigestConfig::decode(char const *proxy_auth) /* quote mark */ p++; + safe_free(digest_request->response); digest_request->response = xstrndup(p, strchr(p, '"') + 1 - p); debugs(29, 9, "authDigestDecodeAuth: Found response '" << digest_request->response << "'");