digest_edirectory_auth: safely return password (#2197)

Previously, nmasldap_get_simple_pwd() and nmasldap_get_password()
could overrun or return non-terminated strings at length
boundaries. This change adds strict bounds checks, copies at most
len - 1, and ensures explicit NUL termination, aligning both
helpers buffer/length semantics without altering call-site
behavior.

diff --git a/src/auth/digest/eDirectory/edir_ldapext.cc b/src/auth/digest/eDirectory/edir_ldapext.cc
index d1680b2293a6601a03e18a3af92bb0802d279676..d0349c6446791d07ed94fc8f79feb0fb51bd95dc 100644 (file)
--- a/src/auth/digest/eDirectory/edir_ldapext.cc
+++ b/src/auth/digest/eDirectory/edir_ldapext.cc
@@ -373,9 +373,7 @@ static int nmasldap_get_simple_pwd(
 
     err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
     if (err == 0) {
-        if (pwdBufLen !=0) {
-            pwdBuf[pwdBufLen] = 0;       /* null terminate */
-
+        if (pwdBufLen > 1) {
             switch (pwdBuf[0]) {
             case 1:  /* cleartext password  */
                 break;
@@ -387,10 +385,10 @@ static int nmasldap_get_simple_pwd(
                 err = LDAP_INAPPROPRIATE_AUTH;  /* only return clear text */
                 break;
             }
-
             if (!err) {
-                if (pwdLen >= pwdBufLen-1) {
+                if (pwdLen >= pwdBufLen) {
                     memcpy(pwd, &pwdBuf[1], pwdBufLen-1);  /* skip digest tag and include null */
+                    pwd[pwdBufLen - 1] = '\0';
                 } else {
                     err = LDAP_NO_MEMORY;
                 }
@@ -462,6 +460,8 @@ static int nmasldap_get_password(
             if (*pwdSize >= pwdBufLen+1 && pwd != nullptr) {
                 memcpy(pwd, pwdBuf, pwdBufLen);
                 pwd[pwdBufLen] = 0; /* add null termination */
+            } else {
+                err = LDAP_OPERATIONS_ERROR;
             }
             *pwdSize = pwdBufLen; /* does not include null termination */
         }