auth: Check for potentially dangerous NULs in usernames.

--HG--
branch : HEAD

diff --git a/src/auth/mech-cram-md5.c b/src/auth/mech-cram-md5.c
index aa46e33e0063db0805c5b6bb22ff4ba966b0539e..6c92c11322d6b2a5022796f8f5d74329c4ef9538 100644 (file)
--- a/src/auth/mech-cram-md5.c
+++ b/src/auth/mech-cram-md5.c
@@ -85,6 +85,10 @@ static bool parse_cram_response(struct cram_auth_request *request,
        /* <username> SPACE <response>. Username may contain spaces, so assume
           the rightmost space is the response separator. */
        for (i = space = 0; i < size; i++) {
+               if (data[i] == '\0') {
+                       *error_r = "NULs in response";
+                       return FALSE;
+               }
                if (data[i] == ' ')
                        space = i;
        }

diff --git a/src/auth/mech-digest-md5.c b/src/auth/mech-digest-md5.c
index fc39994cb2e4634c5174694a9241b5255a173165..86f8b6604a414ad14d8667809efff40a40d990db 100644 (file)
--- a/src/auth/mech-digest-md5.c
+++ b/src/auth/mech-digest-md5.c
@@ -477,6 +477,8 @@ static bool parse_digest_response(struct digest_auth_request *request,
                return FALSE;
        }
 
+       /* treating response as NUL-terminated string also gets rid of all
+          potential problems with NUL characters in strings. */
        copy = t_strdup_noconst(t_strndup(data, size));
        while (*copy != '\0') {
                if (parse_next(&copy, &key, &value)) {

diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c
index adca80a787e707c3e99d0e3c56f56e105b0872d2..06c8f269af8b191e1490aa3ac24c534a32cafd8c 100644 (file)
--- a/src/auth/mech-gssapi.c
+++ b/src/auth/mech-gssapi.c
@@ -214,6 +214,18 @@ import_name(struct auth_request *request, void *str, size_t len)
        return name;
 }
 
+static bool data_has_nuls(const void *data, unsigned int len)
+{
+       const unsigned char *c = data;
+       unsigned int i;
+
+       for (i = 0; i < len; i++) {
+               if (c[i] == '\0')
+                       return TRUE;
+       }
+       return FALSE;
+}
+
 static int get_display_name(struct auth_request *auth_request, gss_name_t name,
                            gss_OID *name_type_r, const char **display_name_r)
 {
@@ -227,6 +239,11 @@ static int get_display_name(struct auth_request *auth_request, gss_name_t name,
                                      GSS_C_GSS_CODE, "gss_display_name");
                return -1;
        }
+       if (data_has_nuls(buf.value, buf.length)) {
+               auth_request_log_info(auth_request, "gssapi",
+                                     "authn_name has NULs");
+               return -1;
+       }
        *display_name_r = t_strndup(buf.value, buf.length);
        (void)gss_release_buffer(&minor_status, &buf);
        return 0;
@@ -498,6 +515,12 @@ mech_gssapi_unwrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf)
        name = (unsigned char *)outbuf.value + 4;
        name_len = outbuf.length - 4;
 
+       if (data_has_nuls(name, name_len)) {
+               auth_request_log_info(auth_request, "gssapi",
+                                     "authz_name has NULs");
+               return -1;
+       }
+
        login_user = p_strndup(auth_request->pool, name, name_len);
        request->authz_name = import_name(auth_request, name, name_len);
        if (request->authz_name == GSS_C_NO_NAME) {